Skip to content

refactor: create 941250 .ra file #4520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fzipi merged 1 commit into from
Mar 10, 2026
Merged

refactor: create 941250 .ra file #4520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions regex-assembly/941250.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Rule 941250: IE XSS Filters - detects XSS via META http-equiv attribute.
##! Matches <META http-equiv="X"> where X starts with c (content-type),
##! r (refresh), or s (set-cookie), including HTML entity encoded variants.

##!+ i

##! HTML entity codes for 'c'/'C': 67=C dec, 43=C hex, 99=c dec, 63=c hex
##!> assemble
67
43
99
63
##!=< c-entity-codes
##!<

##! HTML entity codes for 'r'/'R': 82=R dec, 52=R hex, 114=r dec, 72=r hex
##!> assemble
82
52
114
72
##!=< r-entity-codes
##!<

##! HTML entity codes for 's'/'S': 83=S dec, 53=S hex, 115=s dec, 73=s hex
##!> assemble
83
53
115
73
##!=< s-entity-codes
##!<

##! Main pattern: <META http-equiv="[c|r|s]..."
##! Each letter (c, r, s) can appear literally or as an HTML entity
##!> assemble
<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*["'`]?
##!=>
##!> assemble
##! Letter 'c' literal or as HTML entity
##!> assemble
c
##!> assemble
&#x?0*
##!=> c-entity-codes
;?
##!<
##!<
##! Letter 'r' literal or as HTML entity
##!> assemble
r
##!> assemble
&#x?0*
##!=> r-entity-codes
;?
##!<
##!<
##! Letter 's' literal or as HTML entity
##!> assemble
s
##!> assemble
&#x?0*
##!=> s-entity-codes
;?
##!<
##!<
##!<
##!<
7 changes: 6 additions & 1 deletion rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -467,7 +467,12 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
# Regular expression generated from regex-assembly/941250.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 941250
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<META[\s\x0b\+/].*?http-equiv[\s\x0b\+/]*=[\s\x0b\+/]*[\"'`]?(?:[crs]|&#x?0*(?:6[37]|43|99|[578][23]|11[45]);?)" \
"id:941250,\
phase:2,\
block,\
Expand Down
Loading