# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.1.1 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ HTTP Request Smuggling ]=- # # [ Rule Logic ] # This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name. # This would point to an attempt to inject a 2nd request into the request, thus bypassing # tests carried out on the primary request. # # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" \ "id:921110,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Request Smuggling Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{MATCHED_VAR_NAME}=%{tx.0}'" # # -=[ HTTP Response Splitting ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. # These characters may cause problems if the data is returned in a respones header and # may be interpreted by an intermediary proxy server and treated as two separate # responses. # # [ References ] # http://projects.webappsec.org/HTTP-Response-Splitting # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" \ "id:921120,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ msg:'HTTP Response Splitting Attack',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ "id:921130,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ msg:'HTTP Response Splitting Attack',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'" # # -=[ HTTP Header Injection ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, # on their own or in combination with header field names. # These characters may cause problems if the data is returned in a respones header # and interpreted by the client. # The rules are similar to rules defending against the HTTP Request Splitting and # Request Smuggling rules. # # [ References ] # https://en.wikipedia.org/wiki/HTTP_header_injection # SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ "id:921140,\ phase:2,\ block,\ capture,\ t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via headers',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" # Detect newlines in argument names. # Checking for GET arguments has been moved to paranoia level 2 (921151) # in order to mitigate possible false positives. # SecRule ARGS_NAMES "@rx [\n\r]" \ "id:921150,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ "id:921160,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # Detect newlines in GET argument values. # These may point to a HTTP header injection attack, but can also sometimes # occur in benign query parameters. # # See also: rule 921140, 921150 # SecRule ARGS_GET "@rx [\n\r]" \ "id:921151,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # # # -=[ HTTP Parameter Polution ]=- # # [ Rule Logic ] # These rules look for multiple parameters with the same name. # 921170 counts the occurrences of the individual parameters. # 921180 checks if any counter is > 1. # # One HPP attack vector is to try evade signature filters by distributing the # attack payload across multiple parameters with the same name. # This works as many security devices only apply signatures to individual # parameter payloads, however the back-end web application may (in the case # of ASP.NET) consolidate all of the payloads into one thus making the # attack payload active. # # [ References ] # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # https://capec.mitre.org/data/definitions/460.html # SecRule ARGS_NAMES "@rx ." \ "id:921170,\ phase:2,\ pass,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ ver:'OWASP_CRS/3.1.1',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ "id:921180,\ phase:2,\ pass,\ msg:'HTTP Parameter Pollution (%{TX.1})',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ "capture,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{MATCHED_VAR_NAME}=%{tx.0}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"