librewolf/bunkerized-nginx
4
0
Fork 1
mirror of https://github.com/bunkerity/bunkerized-nginx synced 2023-12-13 21:30:18 +01:00
Code Issues Projects Releases Wiki Activity

Update coreruleset to version 3.3.5

Browse source
This commit is contained in:
Théophile Diot 2023-09-08 10:27:29 +02:00
parent c948e449a0
commit 2b5654ba3b
No known key found for this signature in database
GPG key ID: 248FEA4BAE400D06
212 changed files with 41963 additions and 47146 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/common/core/modsecurity/files/coreruleset/.github/workflows/test.yml vendored
View file

@ -14,44 +14,32 @@ on:
- '.github/**'
jobs:
# "modsec2-apache", "modsec3-apache", "modsec3-nginx"
regression:
runs-on: ubuntu-latest
strategy:
# change to true
fail-fast: false
matrix:
modsec_version: [modsec2-apache]
steps:
- name: "Checkout repo"
uses: actions/checkout@v2
- name: Set up Python 3
uses: actions/setup-python@v2
with:
python-version: '3.x'
- uses: actions/cache@v2
id: cache
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
uses: actions/checkout@v3
- name: "Install dependencies"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO_FTW_VERSION: '0.4.6'
run: |
pip install --upgrade setuptools wheel
pip install -r tests/regression/requirements.txt
pip install pytest-github-actions-annotate-failures
gh release download -R coreruleset/go-ftw v${GO_FTW_VERSION} -p "ftw_${GO_FTW_VERSION}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
- name: "Run tests for ${{ matrix.modsec_version }}"
run: |
mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}
docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
# Use mounted volume path
py.test -vs --tb=short tests/regression/CRS_Tests.py \
--config="${{ matrix.modsec_version }}" \
--ruledir_recurse=./tests/regression/tests/
docker-compose -f ./tests/docker-compose.yml logs
[ $(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}') = 'true' ]
./ftw check -d tests/regression/tests
./ftw run -d tests/regression/tests --show-failures-only
env:
FTW_LOGFILE: './tests/logs/modsec2-apache/error.log'
- name: "Change permissions if failed"
if: failure()

4
src/common/core/modsecurity/files/coreruleset/.yamllint.yml
View file

@ -15,4 +15,6 @@ rules:
# don't bother me with this rule
indentation: disable
comments: {require-starting-space: false}
comments:
require-starting-space: true # default
min-spaces-from-content: 1

1465
src/common/core/modsecurity/files/coreruleset/CHANGES
View file

File diff suppressed because it is too large Load diff

1499
src/common/core/modsecurity/files/coreruleset/CHANGES.md Normal file
View file

File diff suppressed because it is too large Load diff

33
src/common/core/modsecurity/files/coreruleset/SECURITY.md
View file

@ -1,35 +1,4 @@
# Security Policy
## Supported Versions
See policy here: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/SECURITY.md
OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.).
For more information see our [wiki](https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy).
The OWASP CRS officially supports the two point releases with security patching preceding the current major release .
We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these.
Along those lines, OWASP CRS team may not issue security notifications for unsupported software.
| Version | Supported |
| --------- | ------------------ |
| 3.3.x-dev | :white_check_mark: |
| 3.2.x | :white_check_mark: |
| 3.1.x | :white_check_mark: |
| 3.0.x | :x: |
## Reporting a Vulnerability
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users.
We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
Submit these types of non-vulnerability related issues via Github.
Please include your installed version and the relevant portions of your audit log.
False negative or common bypasses should [create an issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/new) so they can be addressed.
Do this before submitting a vulnerability using our email:
1) Verify that you have the latest version of OWASP CRS.
2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email.
3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email.
Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using [this key](https://coreruleset.org/security.asc), (fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`).
We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested.
If in doubt, feel free to reach out to us!

9
src/common/core/modsecurity/files/coreruleset/SPONSORS.md
View file

@ -1,10 +1,13 @@
## GOLD SPONSORS
* VMWare (Avi Networks)
* F5/NGINX
* Edgio
* Google
* Microsoft
* Nginx (Part of F5)
* United Security Providers
* VMWare
## SILVER SPONSORS
* Bug Bounty Switzerland
* Google Cloud Armor

8
src/common/core/modsecurity/files/coreruleset/crs-setup.conf.example
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -863,7 +863,7 @@ SecCollectionTimeout 600
SecAction \
"id:900990,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=334"
nolog,\
setvar:tx.crs_setup_version=335"

4
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2

89
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -26,7 +26,7 @@
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.3.4"
SecComponentSignature "OWASP_CRS/3.3.5"
#
# -=[ Default setup values ]=-
@ -59,7 +59,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
log,\
auditlog,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL'"
@ -77,7 +77,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
@ -86,7 +86,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Paranoia Level (rule 900000 in setup.conf)
@ -95,7 +95,7 @@ SecRule &TX:paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.paranoia_level=1'"
# Default Executing Paranoia Level (rule 900000 in setup.conf)
@ -104,7 +104,7 @@ SecRule &TX:executing_paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
# Default Sampling Percentage (rule 900400 in setup.conf)
@ -113,7 +113,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in setup.conf)
@ -122,7 +122,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
@ -130,7 +130,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
@ -138,7 +138,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
@ -146,7 +146,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.notice_anomaly_score=2'"
# Default do_reput_block
@ -155,7 +155,7 @@ SecRule &TX:do_reput_block "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.do_reput_block=0'"
# Default block duration
@ -164,7 +164,7 @@ SecRule &TX:reput_block_duration "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.reput_block_duration=300'"
# Default HTTP policy: allowed_methods (rule 900200)
@ -173,7 +173,7 @@ SecRule &TX:allowed_methods "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220)
@ -182,7 +182,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
@ -191,7 +191,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
# Default HTTP policy: allowed_http_versions (rule 900230)
@ -200,7 +200,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Default HTTP policy: restricted_extensions (rule 900240)
@ -209,7 +209,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers (rule 900250)
@ -218,7 +218,7 @@ SecRule &TX:restricted_headers "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
# Default HTTP policy: static_extensions (rule 900260)
@ -227,7 +227,7 @@ SecRule &TX:static_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
# Default enforcing of body processor URLENCODED
@ -236,9 +236,27 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
# Default check for UTF8 encoding validation
SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
"id:901169,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.crs_validate_utf8_encoding=0'"
# Default monitor_anomaly_score value
SecRule &TX:monitor_anomaly_score "@eq 0" \
"id:901170,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.monitor_anomaly_score=0'"
#
# -=[ Initialize internal variables ]=-
#
@ -254,7 +272,7 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
@ -291,7 +309,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
pass,\
t:none,t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
SecAction \
@ -300,7 +318,7 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
setvar:'tx.real_ip=%{remote_addr}'"
@ -319,9 +337,8 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
nolog,\
noauditlog,\
msg:'Enabling body inspection',\
tag:'paranoia-level/1',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@ -332,7 +349,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
@ -371,7 +388,7 @@ SecRule TX:sampling_percentage "@eq 100" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^." \
@ -380,7 +397,7 @@ SecRule UNIQUE_ID "@rx ^." \
pass,\
t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
SecRule DURATION "@rx (..)$" \
@ -389,7 +406,7 @@ SecRule DURATION "@rx (..)$" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@ -398,7 +415,7 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
@ -407,7 +424,7 @@ SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{TX.1}'"
@ -432,7 +449,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
ctl:ruleEngine=Off,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-SAMPLING"
@ -450,4 +467,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
t:none,\
log,\
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"

50
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -69,7 +69,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
@ -78,7 +78,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
@ -116,7 +116,7 @@ SecAction "id:9001100,\
nolog,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -131,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /user/login" \
"id:9001112,\
@ -140,7 +140,7 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
"id:9001114,\
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
"id:9001116,\
@ -159,7 +159,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -179,7 +179,7 @@ SecRule REQUEST_FILENAME "@contains /admin/config/" \
pass,\
nolog,\
ctl:ruleRemoveById=942430,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
"id:9001124,\
@ -196,7 +196,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
"id:9001126,\
@ -205,7 +205,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/sing
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001128,\
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
pass,\
nolog,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -230,7 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
pass,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:ids[],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -249,7 +249,7 @@ SecAction "id:9001160,\
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -266,7 +266,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -350,7 +350,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
"id:9001202,\
@ -359,7 +359,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
"id:9001204,\
@ -369,7 +369,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ctl:ruleRemoveTargetById=932110;ARGS:destination,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /block/add" \
"id:9001206,\
@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
"id:9001208,\
@ -385,7 +385,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
"id:9001210,\
@ -393,7 +393,7 @@ SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
"id:9001212,\
@ -401,7 +401,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001214,\
@ -409,7 +409,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
"id:9001216,\
@ -417,7 +417,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"

72
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -23,7 +23,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS"
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
@ -32,7 +32,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS"
@ -53,7 +53,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Reset password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
@ -86,7 +86,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Gutenberg via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
@ -112,7 +112,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
@ -132,7 +132,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \
nolog,\
ctl:ruleRemoveById=200002,\
ctl:ruleRemoveById=200003,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Gutenberg upload image/media via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
@ -141,7 +141,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
@ -170,7 +170,7 @@ SecRule ARGS:wp_customize "@streq on" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &ARGS:action "@eq 0" \
"t:none,\
@ -191,7 +191,7 @@ SecRule ARGS:wp_customize "@streq on" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
"t:none,\
@ -232,7 +232,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
nolog,\
ctl:ruleRemoveById=920180,\
ctl:ruleRemoveById=920300,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -247,7 +247,7 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
"t:none,\
@ -266,7 +266,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS-ADMIN"
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
@ -275,7 +275,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS-ADMIN"
@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
@ -306,7 +306,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
@ -329,7 +329,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -357,7 +357,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -386,7 +386,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq createuser" \
"t:none,\
@ -427,7 +427,7 @@ SecAction \
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
# [ Content editing ]
@ -444,7 +444,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
"t:none,\
@ -464,7 +464,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq heartbeat" \
"t:none,\
@ -486,7 +486,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -511,7 +511,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
"t:none,\
@ -566,7 +566,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq widgets-order" \
"t:none,\
@ -595,7 +595,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq sample-permalink" \
"t:none,\
@ -611,7 +611,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq add-menu-item" \
"t:none,\
@ -627,7 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq send-attachment-to-editor" \
"t:none,\
@ -648,7 +648,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:option_page "@streq general" \
"t:none,\
@ -679,7 +679,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Comments blacklist and moderation list
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
@ -688,7 +688,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:option_page "@streq discussion" \
"t:none,\
@ -712,7 +712,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -751,7 +751,7 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
ctl:ruleRemoveTargetById=942432;ARGS:load[],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-WORDPRESS-ADMIN"

50
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -44,7 +44,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-NEXTCLOUD"
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
@ -53,7 +53,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-NEXTCLOUD"
@ -75,7 +75,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920420,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
@ -85,7 +85,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"t:none,\
@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow the data type 'application/octet-stream'
@ -114,7 +114,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
@ -127,7 +127,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
"ctl:ruleRemoveById=920340,\
@ -148,7 +148,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Allow REPORT requests without Content-Type header (at least the iOS app does this)
@ -177,7 +177,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ DAV ]
@ -199,7 +199,7 @@ SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
@ -226,7 +226,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Filepreview for trashbin
@ -238,7 +238,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ctl:ruleRemoveTargetById=942190;ARGS:file,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
"id:9003160,\
@ -247,7 +247,7 @@ SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Ownnote ]
@ -259,7 +259,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
t:none,\
nolog,\
ctl:ruleRemoveById=941150,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Text Editor ]
@ -277,7 +277,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Address Book ]
@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow modifying contacts via the web interface
@ -316,7 +316,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
# Allow modifying calendar events via the web interface
@ -344,7 +344,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Bookmarks ]
@ -358,7 +358,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
t:none,\
nolog,\
ctl:ruleRemoveById=931130,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
nolog,\
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Reset password.
@ -387,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
@ -408,7 +408,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-NEXTCLOUD-ADMIN"

26
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI"
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
@ -36,7 +36,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI"
@ -81,7 +81,7 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
@ -106,7 +106,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
@ -125,7 +125,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:do "@streq index" \
"t:none,\
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
@ -170,7 +170,7 @@ SecRule ARGS:do "!@streq admin" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI-ADMIN"
SecRule ARGS:do "!@streq admin" \
@ -179,7 +179,7 @@ SecRule ARGS:do "!@streq admin" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI-ADMIN"
@ -194,7 +194,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
@ -252,7 +252,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\

10
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -19,7 +19,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-CPANEL"
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
@ -28,7 +28,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-CPANEL"
@ -53,7 +53,7 @@ SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\

80
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -18,7 +18,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO"
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO"
@ -49,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
ctl:ruleRemoveTargetById=942230;ARGS:referrer,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Store drafts for private message, forum post, thread reply
# POST /xf/conversations/draft
@ -73,7 +73,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Send PM, edit post, create thread, reply to thread
# POST /xf/conversations/add
@ -100,7 +100,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/m
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Quote
# POST /xf/posts/12345/quote
@ -111,7 +111,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Multi quote
# POST /xf/conversations/convo-title.12345/multi-quote
@ -134,7 +134,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Delete thread
# POST /xf/threads/thread-title.12345/delete
@ -145,7 +145,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Feature thread
# POST /xf/threads/thread-title.12345/feature-edit
@ -167,7 +167,7 @@ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Warn member
# POST /xf/members/name.12345/warn
@ -180,7 +180,7 @@ SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
@ -194,7 +194,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
@ -204,7 +204,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Post attachment
# POST /xf/account/avatar
@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Media
# POST /xf/index.php?editor/media
@ -232,7 +232,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=942130;ARGS:url,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Emoji
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
@ -243,7 +243,7 @@ SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=921151;ARGS:q,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Login
# POST /xf/login/login
@ -254,7 +254,7 @@ SecRule REQUEST_FILENAME "@endsWith /login/login" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Register account
# POST /xf/register/register
@ -269,7 +269,7 @@ SecRule REQUEST_FILENAME "@endsWith /register/register" \
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Confirm account
# GET /xf/account-confirmation/name.12345/email?c=foo
@ -291,7 +291,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Lost password
# POST /xf/lost-password/user-name.12345/confirm?c=foo
@ -302,7 +302,7 @@ SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Set forum signature
# POST /xf/account/signature
@ -313,7 +313,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/signature" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Search
# POST /xf/search/search
@ -328,7 +328,7 @@ SecRule REQUEST_FILENAME "@endsWith /search/search" \
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
ctl:ruleRemoveTargetById=942370;ARGS:constraints,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Search within thread
# GET /xf/threads/foo.12345/page12?highlight=foo
@ -339,7 +339,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Search within search result
# GET /xf/search/12345/?q=foo
@ -350,7 +350,7 @@ SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Contact form
# POST /xf/misc/contact
@ -362,7 +362,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Report post
# POST /xf/posts/12345/report
@ -373,7 +373,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Alternate thread view route
# /xf/index.php?threads/title-having-some-sql.12345/
@ -388,7 +388,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_METHOD "@streq GET" \
"t:none,\
@ -412,7 +412,7 @@ SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Get location info
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
@ -422,7 +422,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
# -=[ XenForo Global Exclusions ]=-
@ -455,7 +455,7 @@ SecAction \
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
# -=[ XenForo Administration Back-End ]=-
@ -469,7 +469,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO-ADMIN"
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
@ -478,7 +478,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO-ADMIN"
# Admin edit user
@ -491,7 +491,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Admin save user
# POST /xf/admin.php?users/the-user-name.12345/save
@ -510,7 +510,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Admin edit forum notice
@ -524,7 +524,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Admin batch thread update
# POST /xf/admin.php?threads/batch-update/action
@ -539,7 +539,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
ctl:ruleRemoveTargetById=942370;ARGS:criteria,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Edit forum theme
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
@ -556,7 +556,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
ctl:ruleRemoveTargetById=942340;ARGS:json,\
ctl:ruleRemoveTargetById=942370;ARGS:json,\
ctl:ruleRemoveTargetById=942440;ARGS:json,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Set forum options
# POST /xf/admin.php?options/update
@ -567,7 +567,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?options/update" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Edit pages/templates
# POST /xf/admin.php?pages/0/save
@ -580,7 +580,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-XENFORO-ADMIN"

8
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -24,7 +24,7 @@ SecRule REQUEST_LINE "@streq GET /" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
@ -44,7 +44,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\

28
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -41,7 +41,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
@ -71,7 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
@ -124,9 +124,8 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-RBL-LOOKUP"
#
@ -148,9 +147,8 @@ SecRule &TX:block_suspicious_ip "@eq 0" \
pass,\
t:none,\
nolog,\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule &TX:block_harvester_ip "@eq 0" \
@ -170,9 +168,8 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.httpbl_msg=%{tx.0}',\
chain"
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
@ -193,7 +190,7 @@ SecRule TX:block_search_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -217,7 +214,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -241,7 +238,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -265,7 +262,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -287,8 +284,7 @@ SecAction \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.previous_rbl_check=86400'"

6
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -39,7 +39,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

29
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -70,7 +70,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
@ -83,7 +83,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
@ -116,7 +116,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
"setvar:'ip.dos_block_counter=+1',\
@ -138,11 +138,10 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.dos_block_counter=+1'"
@ -162,9 +161,8 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOS-PROTECTION-CHECKS"
@ -181,11 +179,10 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.extension=/%{TX.1}/',\
chain"
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
@ -213,11 +210,10 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
"setvar:'ip.dos_burst_counter=1',\
@ -234,11 +230,10 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
"setvar:'ip.dos_burst_counter=2',\
@ -265,7 +260,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
@ -299,7 +294,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 1" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"

14
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -47,7 +47,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -70,7 +70,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -95,7 +95,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -135,7 +135,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -169,7 +169,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\

139
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -59,7 +59,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -110,7 +110,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -139,7 +139,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -173,7 +173,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@ -198,7 +198,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@ -234,7 +234,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
@ -263,7 +263,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@ -301,7 +301,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
@ -334,7 +334,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -367,7 +367,7 @@ SecRule REQUEST_URI "@rx \x25" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_URI "@validateUrlEncoding" \
@ -387,7 +387,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY "@rx \x25" \
@ -419,7 +419,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@ -458,7 +458,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -512,7 +512,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -544,7 +544,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
skipAfter:END-HOST-CHECK"
@ -563,7 +563,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -603,7 +603,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -628,7 +628,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -661,7 +661,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
@ -698,7 +698,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -731,7 +731,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -763,7 +763,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
@ -788,7 +788,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@ -815,7 +815,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
@ -839,7 +839,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@ -864,7 +864,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@ -890,7 +890,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@ -928,7 +928,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -951,7 +951,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
@ -979,7 +979,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \
@ -1005,7 +1005,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1027,7 +1027,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1050,7 +1050,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
@ -1077,7 +1077,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1122,7 +1122,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
chain"
@ -1157,10 +1157,41 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
# Content-Type confusion poses a significant security risk to a web application. It occurs when
# the server and client have different interpretations of the Content-Type header, leading to
# miscommunication, potential exploitation and WAF bypass.
#
# Using Apache, when multiple Content-Type request headers are received, the server combines them
# into a single header with the values separated by commas. For example, if a client sends multiple
# Content-Type headers with values "application/json" and "text/plain", Apache will combine them
# into a single header like this: "Content-Type: application/json, text/plain".
#
# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each
# header as a separate entity without combining them. So, if a client sends multiple Content-Type
# headers, Nginx will keep them separate, maintaining the original values.
#
SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
"id:920620,\
phase:1,\
block,\
t:none,\
msg:'Multiple Content-Type Request Headers',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1202,7 +1233,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@ -1226,7 +1257,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@ -1247,7 +1278,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/120',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -1278,7 +1309,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -1304,7 +1335,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1331,7 +1362,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
@ -1353,7 +1384,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1378,7 +1409,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -1412,7 +1443,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1440,7 +1471,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@ -1493,7 +1524,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \
@ -1524,7 +1555,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@ -1551,7 +1582,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1572,7 +1603,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1596,7 +1627,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1642,7 +1673,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
tag:'OWASP_CRS',\
tag:'capec/1000/153/267',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

35
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -47,7 +47,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -80,7 +80,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -102,7 +102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -137,7 +137,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -166,7 +166,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -188,7 +188,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -214,7 +214,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -247,7 +247,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -280,7 +280,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -314,7 +314,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -350,9 +350,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|vi
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -386,7 +386,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -418,10 +418,9 @@ SecRule ARGS_NAMES "@rx ." \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
@ -437,7 +436,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \

10
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
@ -63,7 +63,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
@ -87,6 +87,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

12
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -42,7 +42,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@ -65,7 +65,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -92,7 +92,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -119,7 +119,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

16
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -50,7 +50,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -71,7 +71,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -92,7 +92,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -120,13 +120,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
"ctl:auditLogParts=+E,\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

34
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -153,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -324,7 +324,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -361,7 +361,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -407,7 +407,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -458,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -495,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -527,7 +527,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -549,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -584,7 +584,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -629,7 +629,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
@ -679,7 +679,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -711,7 +711,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

40
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -60,7 +60,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -102,7 +102,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -126,12 +126,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm =" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -155,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -221,7 +221,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -343,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -399,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -455,7 +455,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -497,7 +497,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -540,12 +540,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm (" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -595,7 +595,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -641,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -684,7 +684,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -714,7 +714,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

6
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -63,7 +63,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\

64
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -50,7 +50,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -77,7 +77,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -103,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -133,7 +133,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -159,7 +159,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -194,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -219,7 +219,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -245,7 +245,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -272,7 +272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -316,7 +316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -338,7 +338,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -360,7 +360,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -382,7 +382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -404,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -426,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -448,7 +448,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -470,7 +470,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -492,7 +492,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -514,7 +514,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -541,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -568,7 +568,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -610,7 +610,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -638,7 +638,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -695,7 +695,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -778,7 +778,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -799,7 +799,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -823,7 +823,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -856,7 +856,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242/63',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

102
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -120,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -149,7 +149,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -178,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -199,7 +199,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -220,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -249,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -270,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -291,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -320,7 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -341,7 +341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -370,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -399,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -439,7 +439,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -475,7 +475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -513,7 +513,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -549,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -584,7 +584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@ -623,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -652,7 +652,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -684,7 +684,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -716,7 +716,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -745,7 +745,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -774,7 +774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -803,7 +803,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -840,7 +840,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -896,7 +896,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -930,7 +930,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -957,7 +957,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -984,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1014,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1051,7 +1051,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1084,7 +1084,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1117,7 +1117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1158,7 +1158,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1202,7 +1202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -1227,7 +1227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1276,7 +1276,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1315,7 +1315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1339,7 +1339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1379,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1408,7 +1408,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1438,7 +1438,7 @@ SecRule ARGS "@rx \W{4}" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@ -1472,7 +1472,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1522,7 +1522,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1555,7 +1555,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1584,7 +1584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"

18
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -44,7 +44,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -65,15 +65,15 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
"capture,\
chain"
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
"ctl:auditLogParts=+E,\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -92,12 +92,12 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
"ctl:auditLogParts=+E,\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

22
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -47,7 +47,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -81,7 +81,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@ -107,7 +107,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@ -141,7 +141,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -180,7 +180,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -202,7 +202,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -224,7 +224,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -249,7 +249,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -285,7 +285,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -69,7 +69,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
@ -89,7 +89,7 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

10
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -45,7 +45,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -111,7 +111,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"

71
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -36,10 +36,9 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.sql_error_match=1'"
SecRule TX:sql_error_match "@eq 1" \
@ -57,12 +56,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -82,12 +81,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -107,12 +106,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -132,12 +131,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -157,12 +156,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -183,12 +182,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -208,12 +207,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -233,12 +232,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -259,12 +258,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -285,12 +284,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -310,12 +309,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -335,12 +334,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -360,12 +359,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -385,12 +384,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -410,12 +409,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -435,12 +434,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

12
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -97,13 +97,13 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \
"capture,\
t:none,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

14
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -61,7 +61,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -87,7 +87,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -110,13 +110,13 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
"capture,\
t:none,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

6
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -73,7 +73,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"

20
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-980-CORRELATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -30,7 +30,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
log,\
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'EMERGENCY',\
chain,\
skipAfter:END-CORRELATION"
@ -47,7 +47,7 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
log,\
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ALERT',\
chain,\
skipAfter:END-CORRELATION"
@ -61,7 +61,7 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
@ -76,7 +76,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
@ -89,7 +89,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:980140,\
@ -100,7 +100,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
SecAction \
@ -110,7 +110,7 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
@ -125,7 +125,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"

4
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2

176
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml
View file

@ -1,87 +1,75 @@
---
meta:
author: "csanders-git"
enabled: true
name: "911100.yaml"
description: "Description"
tests:
-
test_title: 911100-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"911100\""
-
test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "911100.yaml"
description: "Description"
tests:
- test_title: 911100-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"911100\""
- test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -99,13 +87,10 @@
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
- test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -123,13 +108,10 @@
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
- test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

160
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml
View file

@ -1,94 +1,84 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913100.yaml
tests:
-
test_title: 913100-1
meta:
author: csanders-git
description: None
enabled: true
name: 913100.yaml
tests:
- test_title: 913100-1
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-2
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-2
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Arachni/0.2.1
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-3
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Arachni/0.2.1
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-3
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: w3af.sourceforge.net
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-4
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: w3af.sourceforge.net
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-4
desc: "Scanner identification based on User-agent field"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "nessus"
uri: "/"
output:
log_contains: id "913100"
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "nessus"
uri: "/"
output:
log_contains: id "913100"

84
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml
View file

@ -1,49 +1,43 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913110.yaml
tests:
-
test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec
regressions
meta:
author: csanders-git
description: None
enabled: true
name: 913110.yaml
tests:
- test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
-
test_title: 913110-2
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
- test_title: 913110-2
desc: "Scanner identification based on custom header"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
X-Scanner: "whatever"
uri: "/"
output:
log_contains: id "913110"
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
X-Scanner: "whatever"
uri: "/"
output:
log_contains: id "913110"

106
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml
View file

@ -1,63 +1,55 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913120.yaml
tests:
-
test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec
regressions
meta:
author: csanders-git
description: None
enabled: true
name: 913120.yaml
tests:
- test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-2
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
- test_title: 913120-2
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-3
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
version: HTTP/1.0
output:
log_contains: id "913120"
- test_title: 913120-3
desc: "Scanner identification based on uri"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
version: HTTP/1.0
uri: "/nessus_is_probing_you_"
output:
log_contains: id "913120"
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
version: HTTP/1.0
uri: "/nessus_is_probing_you_"
output:
log_contains: id "913120"

439
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml
View file

@ -1,218 +1,193 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
-
# Standard GET request
test_title: 920100-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
status: 400
-
# Perfectly valid OPTIONS request
test_title: 920100-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "*"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "1.2.3.4:80"
version: "HTTP/1.1"
output:
status: [405, 403]
-
# invalid Connect request, domains require ports
test_title: 920100-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: 400
-
# This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com:80"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# Valid request with query and anchor components
test_title: 920100-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html:80?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
status: [400, 403]
-
# Normal Options request with path
test_title: 920100-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# An invalid method with a long name
test_title: 920100-10
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "\\"
version: "HTTP/1.1"
output:
status: [403, 400]
#log_contains: "id \"920100\""
-
test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
- # Standard GET request
test_title: 920100-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
status: [400]
- # Perfectly valid OPTIONS request
test_title: 920100-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "*"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "1.2.3.4:80"
version: "HTTP/1.1"
output:
status: [405, 403]
- # invalid Connect request, domains require ports
test_title: 920100-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: [400]
- # This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com:80"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
- # Valid request with query and anchor components
test_title: 920100-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html:80?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
status: [400, 403]
- # Normal Options request with path
test_title: 920100-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # An invalid method with a long name
test_title: 920100-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
- # An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "\\"
version: "HTTP/1.1"
output:
status: [403, 400]
- test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -226,13 +201,11 @@
uri: /
version: HTTP/1.1
output:
status: 400
-
test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
-
stage:
status: [400]
- test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -246,14 +219,12 @@
uri: \index.html
version: HTTP\1.0
output:
status: [403, 400]
# log_contains: id "920100"
-
test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
-
stage:
status: [403, 400]
# log_contains: id "920100"
- test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -268,12 +239,10 @@
version: HTTP/1.0
output:
log_contains: id "920100"
-
test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
- test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET

140
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml
View file

@ -1,43 +1,39 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
-
test_title: 920120-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "*/*"
Accept-Language: "en"
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data:
- "----------397236876"
- "Content-Disposition: form-data; name=\"fileRap\"; filename=\"file=.txt\""
- "Content-Type: text/plain"
- ""
- "555-555-0199@example.com"
- "----------397236876--"
protocol: "http"
output:
log_contains: "id \"920120\""
-
test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
- test_title: 920120-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "*/*"
Accept-Language: "en"
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data: |
----------397236876
Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
Content-Type: text/plain
555-555-0199@example.com
----------397236876--
protocol: "http"
output:
log_contains: "id \"920120\""
- test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -55,26 +51,24 @@
port: 80
uri: /cgi-bin/fup.cgi
version: HTTP/1.1
data:
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="fi=le"; filename="test"'
- 'Content-Type: text/plain'
- ''
- 'email: security@modsecurity.org'
- ''
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="note"'
- ''
- Contact info.
- '-----------------------------627652292512397580456702590--'
data: |
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="fi=le"; filename="test"
Content-Type: text/plain
email: security@modsecurity.org
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="note"
Contact info.
-----------------------------627652292512397580456702590--
output:
log_contains: id "920120"
-
test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
-
stage:
- test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -91,21 +85,21 @@
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="fi;le"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="fi;le"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
t2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
log_contains: id "920120"

142
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml
View file

@ -1,73 +1,65 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
-
# Non digit Content-Length without content-type
test_title: 920160-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: 400
-
# Non digit content-length with content-type
test_title: 920160-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: 400
-
# Mixed digit and non digit content length
test_title: 920160-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "123x"
protocol: "http"
uri: "/"
output:
status: 400
-
# Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
- # Non digit Content-Length without content-type
test_title: 920160-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: [400]
- # Non digit content-length with content-type
test_title: 920160-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: [400]
- # Mixed digit and non digit content length
test_title: 920160-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "123x"
protocol: "http"
uri: "/"
output:
status: [400]
- # Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -86,14 +78,12 @@
version: HTTP/1.0
data: abc
output:
status: 200
status: [200]
no_log_contains: id "920160"
-
test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
- test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

204
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml
View file

@ -1,112 +1,100 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
-
# POST Request with data (valid)
test_title: 920170-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with data
test_title: 920170-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
-
# Head Request with data
test_title: 920170-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
-
# GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: "hi=test\r\n"
stop_magic: true
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with content length 0 and no data.
test_title: 920170-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: ""
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
- # POST Request with data (valid)
test_title: 920170-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
no_log_contains: "id \"920170\""
- # GET request with data
test_title: 920170-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
- # Head Request with data
test_title: 920170-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
- # GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: "hi=test\r\n"
stop_magic: true
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
- # GET request with content length 0 and no data.
test_title: 920170-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: ""
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
- test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

102
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml
View file

@ -1,53 +1,47 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920180.yaml"
description: "Description"
tests:
-
test_title: 920180-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
stop_magic: true
uri: "/"
output:
log_contains: id "920180"
-
test_title: 920180-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920180"
-
test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920180.yaml"
description: "Description"
tests:
- test_title: 920180-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
stop_magic: true
uri: "/"
output:
log_contains: id "920180"
- test_title: 920180-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920180"
- test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -65,12 +59,10 @@
version: HTTP/1.0
output:
log_contains: id "920180"
-
test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
-
stage:
- test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

66
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
View file

@ -1,35 +1,33 @@
---
meta:
author: "fgsch"
enabled: true
name: "920181.yaml"
description: "Description"
tests:
-
test_title: 920181-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 7
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data:
- "7"
- "foo=bar"
- "0"
- ""
- ""
stop_magic: true
output:
# Apache unsets the Content-Length header if
# Transfer-Encoding is found!
no_log_contains: id "920181"
meta:
author: "fgsch"
enabled: true
name: "920181.yaml"
description: "Description"
tests:
- test_title: 920181-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 7
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data: |
7
foo=bar
0
stop_magic: true
output:
# Apache unsets the Content-Length header if
# Transfer-Encoding is found!
no_log_contains: id "920181"

54
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml
View file

@ -1,33 +1,29 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920190.yaml"
description: "Description"
tests:
-
test_title: 920190-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "0-1"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920190"
-
test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920190.yaml"
description: "Description"
tests:
- test_title: 920190-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "0-1"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920190"
- test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

194
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml
View file

@ -1,87 +1,75 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920200.yaml"
description: "Description"
tests:
-
test_title: 920200-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
-
# Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
-
test_title: 920200-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
-
test_title: 920200-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
-
test_title: 920200-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
-
test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920200.yaml"
description: "Description"
tests:
- test_title: 920200-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
- # Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
- test_title: 920200-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
- test_title: 920200-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
- test_title: 920200-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
- test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -100,12 +88,10 @@
version: HTTP/1.1
output:
log_contains: id "920200"
-
test_title: 920200-7
desc: This should PASS (PL2)
stages:
-
stage:
- test_title: 920200-7
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -117,12 +103,10 @@
uri: /index.html
output:
no_log_contains: id "920200"
-
test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
-
stage:
- test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -134,12 +118,10 @@
uri: /index.html
output:
log_contains: id "920200"
-
test_title: 920200-9
desc: This should PASS (PL2)
stages:
-
stage:
- test_title: 920200-9
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -151,12 +133,10 @@
uri: /index.pdf
output:
no_log_contains: id "920200"
-
test_title: 920200-10
desc: This should PASS (PL2)
stages:
-
stage:
- test_title: 920200-10
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

22
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml
View file

@ -1,16 +1,14 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920201.yaml"
description: "Tests for 920201"
tests:
-
test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920201.yaml"
description: "Tests for 920201"
tests:
- test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

22
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml
View file

@ -1,16 +1,14 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920202.yaml"
description: "Tests for 920202"
tests:
-
test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920202.yaml"
description: "Tests for 920202"
tests:
- test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

164
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml
View file

@ -1,87 +1,74 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
-
test_title: 920210-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
-
test_title: 920210-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "close,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
- test_title: 920210-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
- test_title: 920210-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
- test_title: 920210-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
- test_title: 920210-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "close,close"
output:
log_contains: "id \"920210\""
- test_title: 920210-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
- test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -99,13 +86,10 @@
version: HTTP/1.1
output:
log_contains: id "920210"
-
test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
stages:
-
stage:
- test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:

152
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml
View file

@ -1,82 +1,72 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
-
# This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=%w20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# We have a valid percent encoding here
test_title: 920220-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=xyz%20%99"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=This+is+a+test"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%1G"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
meta:
author: "csanders-git"
enabled: true
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
- # This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=%w20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
- # We have a valid percent encoding here
test_title: 920220-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=xyz%20%99"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
- # url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=This+is+a+test"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%1G"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""

88
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml
View file

@ -1,47 +1,43 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920230.yaml"
description: "Description"
tests:
-
# From old modsec regression tests
test_title: 920230-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920230\""
-
# From old modsec regression tests
test_title: 920230-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
no_log_contains: "id \"920230\""
meta:
author: "csanders-git"
enabled: true
name: "920230.yaml"
description: "Description"
tests:
- # From old modsec regression tests
test_title: 920230-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920230\""
- # From old modsec regression tests
test_title: 920230-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
no_log_contains: "id \"920230\""

257
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml
View file

@ -1,136 +1,123 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920240.yaml"
description: "Description"
tests:
-
test_title: 920240-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 11
data: "x=new %w20$"
stop_magic: true
output:
log_contains: "id \"920240\""
-
test_title: 920240-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
Host: "localhost%00"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 10
data: "x=new %20$"
stop_magic: true
output:
no_log_contains: "id \"920240\""
-
test_title: 920240-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "param=value"
output:
no_log_contains: "id \"920240\""
-
# We have a valid percent encoding here
test_title: 920240-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "text/xml"
data:
- "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">"
- " <SOAP-ENV:Body>"
- " <xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">"
- " <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>"
- " <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>"
- " </xkms:StatusRequest>"
- " </SOAP-ENV:Body>"
- "</SOAP-ENV:Envelope>"
output:
no_log_contains: "id \"920240\""
-
# test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "9"
data: "param=%1G"
stop_magic: true
output:
log_contains: "id \"920240\""
-
# test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
output:
log_contains: "id \"920240\""
meta:
author: "csanders-git"
enabled: true
name: "920240.yaml"
description: "Description"
tests:
- test_title: 920240-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 11
data: "x=new %w20$"
stop_magic: true
output:
log_contains: "id \"920240\""
- test_title: 920240-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
Host: "localhost%00"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 10
data: "x=new %20$"
stop_magic: true
output:
no_log_contains: "id \"920240\""
- test_title: 920240-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "param=value"
output:
no_log_contains: "id \"920240\""
- # We have a valid percent encoding here
test_title: 920240-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "text/xml"
data: |
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<SOAP-ENV:Body>
<xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
<xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>
</xkms:StatusRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
output:
no_log_contains: "id \"920240\""
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "9"
data: "param=%1G"
stop_magic: true
output:
log_contains: "id \"920240\""
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
output:
log_contains: "id \"920240\""

128
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml
View file

@ -1,68 +1,62 @@
---
meta:
author: "csanders-git"
enabled: false
name: "920250.yaml"
description: "Description"
tests:
-
# crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
# Taken from existing modsec regression
test_title: 920250-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0%af"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
-
# Taken from existing modsec regression
test_title: 920250-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
-
# Taken from existing modsec regression
test_title: 920250-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%F5%80%BF%BF"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
meta:
author: "csanders-git"
enabled: false
name: "920250.yaml"
description: "Description"
tests:
- # crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
# Taken from existing modsec regression
test_title: 920250-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0%af"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
- # Taken from existing modsec regression
test_title: 920250-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
- # Taken from existing modsec regression
test_title: 920250-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%F5%80%BF%BF"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""

104
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml
View file

@ -1,56 +1,50 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920260.yaml"
description: "Description"
tests:
-
test_title: 920260-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%uff0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920260\""
-
test_title: 920260-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%u0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920260\""
-
# Test taken from existing modsec regression
test_title: 920260-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%uFF01"
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920260\""
meta:
author: "csanders-git"
enabled: true
name: "920260.yaml"
description: "Description"
tests:
- test_title: 920260-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%uff0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920260\""
- test_title: 920260-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%u0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920260\""
- # Test taken from existing modsec regression
test_title: 920260-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%uFF01"
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920260\""

266
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml
View file

@ -1,143 +1,125 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920270.yaml"
description: "Description"
tests:
-
test_title: 920270-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
-
test_title: 920270-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
-
test_title: 920270-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
-
# This causes apache to error before it gets to CRS. Therefore
# we'll mark this as a status 400 now until the FTW OR output is added
test_title: 920270-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%00"
output:
status: [403, 400]
# log_contains: "id \"920270\""
-
test_title: 920270-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Referer: "anything%00"
output:
log_contains: "id \"920270\""
-
test_title: 920270-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%40=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
test_title: 920270-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
test_title: 920270-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
# Test converted from old tests
test_title: 920270-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920270\""
meta:
author: "csanders-git"
enabled: true
name: "920270.yaml"
description: "Description"
tests:
- test_title: 920270-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- test_title: 920270-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- test_title: 920270-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- # This causes apache to error before it gets to CRS. Therefore
# we'll mark this as a status 400 now until the FTW OR output is added
test_title: 920270-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%00"
output:
status: [403, 400]
# log_contains: "id \"920270\""
- test_title: 920270-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Referer: "anything%00"
output:
log_contains: "id \"920270\""
- test_title: 920270-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%40=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- test_title: 920270-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- test_title: 920270-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- # Test converted from old tests
test_title: 920270-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920270\""

170
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml
View file

@ -1,92 +1,80 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920271.yaml"
description: "Description"
tests:
-
test_title: 920271-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%127"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%03"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: hi%13=bye
output:
log_contains: "id \"920271\""
-
test_title: 920271-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%20index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""
-
test_title: 920271-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%FFindex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""
meta:
author: "csanders-git"
enabled: true
name: "920271.yaml"
description: "Description"
tests:
- test_title: 920271-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%127"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%03"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: hi%13=bye
output:
log_contains: "id \"920271\""
- test_title: 920271-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%20index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""
- test_title: 920271-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%FFindex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""

145
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml
View file

@ -1,79 +1,68 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920272.yaml"
description: "Description"
tests:
-
test_title: 920272-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%25"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%80"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=t%FFest1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%35"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920272\""
-
# This will not trigger with Apache because Apache will block with AH00127
#(22)Invalid argument: [client 127.0.0.1:47427] AH00127: Cannot map GET /i%FFndex.html?test=test1 HTTP/1.1 to file. It will return a 404 instead so we accept either.
test_title: 920272-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/i%FFndex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 404]
meta:
author: "csanders-git"
enabled: true
name: "920272.yaml"
description: "Description"
tests:
- test_title: 920272-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%25"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%80"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=t%FFest1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%35"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920272\""
- # This will not trigger with Apache because Apache will block with AH00127
test_title: 920272-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/i%FFndex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 404]

146
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml
View file

@ -1,79 +1,69 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920273.yaml"
description: "Description"
tests:
-
test_title: 920273-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""
-
# the '&' is one of the only symbol allowed
test_title: 920273-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1&test=t"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
-
test_title: 920273-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
data: "<hello"
output:
log_contains: "id \"920273\""
-
test_title: 920273-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%5FHI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
-
test_title: 920273-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%60HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""
meta:
author: "csanders-git"
enabled: true
name: "920273.yaml"
description: "Description"
tests:
- test_title: 920273-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""
- # the '&' is one of the only symbol allowed
test_title: 920273-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1&test=t"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
- test_title: 920273-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
data: "<hello"
output:
log_contains: "id \"920273\""
- test_title: 920273-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%5FHI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
- test_title: 920273-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%60HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""

158
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml
View file

@ -1,85 +1,75 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920274.yaml"
description: "Description"
tests:
-
# Apache will just error on this and return 400
# as a result we look for forbidden or 400
# In the future FTW should support OR versus AND output
# https://github.com/CRS-support/ftw/issues/19
test_title: 920274-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%1F"
output:
status: [200, 403, 400]
# log_contains: "id \"920274\""
-
test_title: 920274-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "<ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920274\""
-
test_title: 920274-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisISATEST%5F"
output:
no_log_contains: "id \"920274\""
-
test_title: 920274-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisIsATest%60"
output:
log_contains: "id \"920274\""
-
test_title: 920274-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: "ThisIsATest%60"
output:
no_log_contains: "id \"920274\""
meta:
author: "csanders-git"
enabled: true
name: "920274.yaml"
description: "Description"
tests:
- # Apache will just error on this and return 400
# as a result we look for forbidden or 400
# In the future FTW should support OR versus AND output
# https://github.com/CRS-support/ftw/issues/19
test_title: 920274-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%1F"
output:
status: [200, 403, 400]
# log_contains: "id \"920274\""
- test_title: 920274-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "<ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920274\""
- test_title: 920274-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisISATEST%5F"
output:
no_log_contains: "id \"920274\""
- test_title: 920274-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisIsATest%60"
output:
log_contains: "id \"920274\""
- test_title: 920274-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: "ThisIsATest%60"
output:
no_log_contains: "id \"920274\""

86
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml
View file

@ -1,47 +1,41 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920280.yaml"
description: "Description"
tests:
-
test_title: 920280-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
log_contains: "id \"920280\""
-
test_title: 920280-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920280\""
-
test_title: 920280-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
# Technically valid but Apache doesn't allow 0.9 anymore
status: 400
meta:
author: "csanders-git"
enabled: true
name: "920280.yaml"
description: "Description"
tests:
- test_title: 920280-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
log_contains: "id \"920280\""
- test_title: 920280-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920280\""
- test_title: 920280-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
# Technically valid but Apache doesn't allow 0.9 anymore
status: [400]

70
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml
View file

@ -1,51 +1,21 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920290.yaml"
description: "Description"
tests:
-
# Apache will block this with a 400 and it will
# never get to CRS. We will fix this more when
# FTW supports the OR operator for outputs.
test_title: 920290-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: ""
output:
status: [403, 400]
#log_contains: "id \"920290\""
#-
#test_title: 920290-2
#stages:
# -
# stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "%00"
# output:
# no_log_contains: "id \"920290\""
# -
# test_title: 920290-3
# stages:
# -
# stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# output:
# no_log_contains: "id \"920290\""
meta:
author: "csanders-git"
enabled: true
name: "920290.yaml"
description: "Description"
tests:
- # Apache will block this with a 400 and it will
# never get to CRS. We will fix this more when
# FTW supports the OR operator for outputs.
test_title: 920290-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: ""
output:
status: [403, 400]

52
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml
View file

@ -1,30 +1,28 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920300.yaml
tests:
-
test_title: 920300-1
meta:
author: csanders-git
description: None
enabled: true
name: 920300.yaml
tests:
- test_title: 920300-1
desc: Request Missing an Accept Header (920300) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: ''
output:
log_contains: id "920300"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: ''
output:
log_contains: id "920300"

171
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml
View file

@ -1,93 +1,80 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920310.yaml"
description: "Description"
tests:
-
test_title: 920310-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
-
test_title: 920310-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: lol
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
-
test_title: 920310-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
meta:
author: "csanders-git"
enabled: true
name: "920310.yaml"
description: "Description"
tests:
- test_title: 920310-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
- test_title: 920310-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: lol
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
- test_title: 920310-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""

88
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml
View file

@ -1,48 +1,42 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920311.yaml"
description: "Description"
tests:
-
test_title: 920311-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920311\""
-
test_title: 920311-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920311\""
-
test_title: 920311-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: "text/plain, text/html"
output:
no_log_contains: "id \"920311\""
meta:
author: "csanders-git"
enabled: true
name: "920311.yaml"
description: "Description"
tests:
- test_title: 920311-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920311\""
- test_title: 920311-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920311\""
- test_title: 920311-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: "text/plain, text/html"
output:
no_log_contains: "id \"920311\""

58
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml
View file

@ -1,32 +1,28 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
-
test_title: 920320-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
output:
log_contains: "id \"920320\""
-
test_title: 920320-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920320\""
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
- test_title: 920320-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
output:
log_contains: "id \"920320\""
- test_title: 920320-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920320\""

60
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml
View file

@ -1,33 +1,29 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
-
test_title: 920330-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: ""
Host: "localhost"
output:
log_contains: "id \"920330\""
-
test_title: 920330-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920330\""
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
- test_title: 920330-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: ""
Host: "localhost"
output:
log_contains: "id \"920330\""
- test_title: 920330-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920330\""

70
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml
View file

@ -1,38 +1,34 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920340.yaml"
description: "Description"
tests:
-
test_title: 920340-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "2"
data: "xy"
stop_magic: true
output:
log_contains: "id \"920340\""
-
test_title: 920340-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "50"
stop_magic: true
output:
expect_error: true
meta:
author: "csanders-git"
enabled: true
name: "920340.yaml"
description: "Description"
tests:
- test_title: 920340-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "2"
data: "xy"
stop_magic: true
output:
log_contains: "id \"920340\""
- test_title: 920340-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "50"
stop_magic: true
output:
expect_error: true

102
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml
View file

@ -1,55 +1,49 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920350.yaml"
description: "Description"
tests:
-
test_title: 920350-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "127.0.0.1"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""
-
test_title: 920350-2
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920350\""
-
test_title: 920350-3
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "1.2.3.4"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""
meta:
author: "csanders-git"
enabled: true
name: "920350.yaml"
description: "Description"
tests:
- test_title: 920350-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "127.0.0.1"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""
- test_title: 920350-2
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920350\""
- test_title: 920350-3
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "1.2.3.4"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""

54
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml
View file

@ -1,31 +1,29 @@
---
meta:
author: csanders-git
description: None
# ARG_NAME_LENGTH needs to be set in crs-config
enabled: false
name: 920360.yaml
tests:
-
test_title: 920360-1
meta:
author: csanders-git
description: None
# ARG_NAME_LENGTH needs to be set in crs-config
enabled: false
name: 920360.yaml
tests:
- test_title: 920360-1
desc: Argument name too long (920360) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo
version: HTTP/1.0
output:
log_contains: id "920360"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo
version: HTTP/1.0
output:
log_contains: id "920360"

54
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml
View file

@ -1,31 +1,29 @@
---
meta:
author: csanders-git
description: None
# PCRE limits need to be set higher to process this
enabled: false
name: 920370.yaml
tests:
-
test_title: 920370-1
meta:
author: csanders-git
description: None
# PCRE limits need to be set higher to process this
enabled: false
name: 920370.yaml
tests:
- test_title: 920370-1
desc: Argument value too long (920370) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
version: HTTP/1.0
output:
log_contains: id "920370"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
version: HTTP/1.0
output:
log_contains: id "920370"

53
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml
View file

@ -1,31 +1,28 @@
---
meta:
author: csanders-git
description: None
# MAX_NUM_ARGS needs to be set in crs-setup
enabled: false
name: 920380.yaml
tests:
-
test_title: 920380-1
meta:
author: csanders-git
description: None
# MAX_NUM_ARGS needs to be set in crs-setup
enabled: false
name: 920380.yaml
tests:
- test_title: 920380-1
desc: Too many arguments in request (920380) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?param1=1&param2=1&param3=1&param4=1&param5=1&param6=1&param7=1&param8=1&param9=1&param10=1&param11=1&param12=1&param13=1&param14=1&param15=1&param16=1&param17=1&param18=1&param19=1&param20=1&param21=1&param22=1&param23=1&param24=1&param25=1&param26=1&param27=1&param28=1&param29=1&param30=1&param31=1&param32=1&param33=1&param34=1&param35=1&param36=1&param37=1&param38=1&param39=1&param40=1&param41=1&param42=1&param43=1&param44=1&param45=1&param46=1&param47=1&param48=1&param49=1&param50=1&param51=1&param52=1&param53=1&param54=1&param55=1&param56=1&param57=1&param58=1&param59=1&param60=1&param61=1&param62=1&param63=1&param64=1&param65=1&param66=1&param67=1&param68=1&param69=1&param70=1&param71=1&param72=1&param73=1&param74=1&param75=1&param76=1&param77=1&param78=1&param79=1&param80=1&param81=1&param82=1&param83=1&param84=1&param85=1&param86=1&param87=1&param88=1&param89=1&param90=1&param91=1&param92=1&param93=1&param94=1&param95=1&param96=1&param97=1&param98=1&param99=1&param100=1&param101=1&param102=1&param103=1&param104=1&param105=1&param106=1&param107=1&param108=1&param109=1&param110=1&param111=1&param112=1&param113=1&param114=1&param115=1&param116=1&param117=1&param118=1&param119=1&param120=1&param121=1&param122=1&param123=1&param124=1&param125=1&param126=1&param127=1&param128=1&param129=1&param130=1&param131=1&param132=1&param133=1&param134=1&param135=1&param136=1&param137=1&param138=1&param139=1&param140=1&param141=1&param142=1&param143=1&param144=1&param145=1&param146=1&param147=1&param148=1&param149=1&param150=1&param151=1&param152=1&param153=1&param154=1&param155=1&param156=1&param157=1&param158=1&param159=1&param160=1&param161=1&param162=1&param163=1&param164=1&param165=1&param166=1&param167=1&param168=1&param169=1&param170=1&param171=1&param172=1&param173=1&param174=1&param175=1&param176=1&param177=1&param178=1&param179=1&param180=1&param181=1&param182=1&param183=1&param184=1&param185=1&param186=1&param187=1&param188=1&param189=1&param190=1&param191=1&param192=1&param193=1&param194=1&param195=1&param196=1&param197=1&param198=1&param199=1&param200=1&param201=1&param202=1&param203=1&param204=1&param205=1&param206=1&param207=1&param208=1&param209=1&param210=1&param211=1&param212=1&param213=1&param214=1&param215=1&param216=1&param217=1&param218=1&param219=1&param220=1&param221=1&param222=1&param223=1&param224=1&param225=1&param226=1&param227=1&param228=1&param229=1&param230=1&param231=1&param232=1&param233=1&param234=1&param235=1&param236=1&param237=1&param238=1&param239=1&param240=1&param241=1&param242=1&param243=1&param244=1&param245=1&param246=1&param247=1&param248=1&param249=1&param250=1&param251=1&param252=1&param253=1&param254=1&param255=1&param256=1
version: HTTP/1.0
output:
log_contains: id "920380"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
method: GET
port: 80
uri: /?param1=1&param2=1&param3=1&param4=1&param5=1&param6=1&param7=1&param8=1&param9=1&param10=1&param11=1&param12=1&param13=1&param14=1&param15=1&param16=1&param17=1&param18=1&param19=1&param20=1&param21=1&param22=1&param23=1&param24=1&param25=1&param26=1&param27=1&param28=1&param29=1&param30=1&param31=1&param32=1&param33=1&param34=1&param35=1&param36=1&param37=1&param38=1&param39=1&param40=1&param41=1&param42=1&param43=1&param44=1&param45=1&param46=1&param47=1&param48=1&param49=1&param50=1&param51=1&param52=1&param53=1&param54=1&param55=1&param56=1&param57=1&param58=1&param59=1&param60=1&param61=1&param62=1&param63=1&param64=1&param65=1&param66=1&param67=1&param68=1&param69=1&param70=1&param71=1&param72=1&param73=1&param74=1&param75=1&param76=1&param77=1&param78=1&param79=1&param80=1&param81=1&param82=1&param83=1&param84=1&param85=1&param86=1&param87=1&param88=1&param89=1&param90=1&param91=1&param92=1&param93=1&param94=1&param95=1&param96=1&param97=1&param98=1&param99=1&param100=1&param101=1&param102=1&param103=1&param104=1&param105=1&param106=1&param107=1&param108=1&param109=1&param110=1&param111=1&param112=1&param113=1&param114=1&param115=1&param116=1&param117=1&param118=1&param119=1&param120=1&param121=1&param122=1&param123=1&param124=1&param125=1&param126=1&param127=1&param128=1&param129=1&param130=1&param131=1&param132=1&param133=1&param134=1&param135=1&param136=1&param137=1&param138=1&param139=1&param140=1&param141=1&param142=1&param143=1&param144=1&param145=1&param146=1&param147=1&param148=1&param149=1&param150=1&param151=1&param152=1&param153=1&param154=1&param155=1&param156=1&param157=1&param158=1&param159=1&param160=1&param161=1&param162=1&param163=1&param164=1&param165=1&param166=1&param167=1&param168=1&param169=1&param170=1&param171=1&param172=1&param173=1&param174=1&param175=1&param176=1&param177=1&param178=1&param179=1&param180=1&param181=1&param182=1&param183=1&param184=1&param185=1&param186=1&param187=1&param188=1&param189=1&param190=1&param191=1&param192=1&param193=1&param194=1&param195=1&param196=1&param197=1&param198=1&param199=1&param200=1&param201=1&param202=1&param203=1&param204=1&param205=1&param206=1&param207=1&param208=1&param209=1&param210=1&param211=1&param212=1&param213=1&param214=1&param215=1&param216=1&param217=1&param218=1&param219=1&param220=1&param221=1&param222=1&param223=1&param224=1&param225=1&param226=1&param227=1&param228=1&param229=1&param230=1&param231=1&param232=1&param233=1&param234=1&param235=1&param236=1&param237=1&param238=1&param239=1&param240=1&param241=1&param242=1&param243=1&param244=1&param245=1&param246=1&param247=1&param248=1&param249=1&param250=1&param251=1&param252=1&param253=1&param254=1&param255=1&param256=1
version: HTTP/1.0
output:
log_contains: id "920380"

60
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml
View file

File diff suppressed because one or more lines are too long

96
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml
View file

@ -1,52 +1,50 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920400.yaml
tests:
-
test_title: 920400-1
meta:
author: csanders-git
description: None
enabled: true
name: 920400.yaml
tests:
- test_title: 920400-1
desc: Uploaded file size too large (920400) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Length: '10485760'
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="file"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
output:
# Most web servers simply won't respond to invalid requests like
# like this they'll just time out when we get OR type checks
# we'll be able to check for both an error or the rule firing
expect_error: true
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Length: '10485760'
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
# Most web servers simply won't respond to invalid requests like
# like this they'll just time out when we get OR type checks
# we'll be able to check for both an error or the rule firing
expect_error: true

90
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml
View file

@ -81,21 +81,21 @@ tests:
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-6
@ -118,21 +118,21 @@ tests:
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-7
@ -155,21 +155,21 @@ tests:
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-8

243
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml
View file

@ -1,121 +1,104 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920430.yaml"
description: "Description"
tests:
-
test_title: 920430-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
test_title: 920430-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
test_title: 920430-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/2"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
# Currently FTW won't process HTTP 1.0 simple response items
# This request generates such a response, so even though it will
# generate the alert, it will error.
test_title: 920430-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: ""
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
expect_error: true
-
test_title: 920430-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "TEST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-8
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git"
enabled: true
name: "920430.yaml"
description: "Description"
tests:
- test_title: 920430-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
- test_title: 920430-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
- test_title: 920430-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
- test_title: 920430-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/2"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
- # Currently FTW won't process HTTP 1.0 simple response items
# This request generates such a response, so even though it will
# generate the alert, it will error.
test_title: 920430-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: ""
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
expect_error: true
- test_title: 920430-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
- test_title: 920430-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "TEST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
- test_title: 920430-8
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -133,13 +116,10 @@
version: HTTP/3.0
output:
log_contains: id "920430"
-
test_title: 920430-9
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
- test_title: 920430-9
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -157,13 +137,10 @@
version: HTTP/0.8
output:
status: [403, 400]
#log_contains: id "920430"
-
test_title: 920430-10
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
- test_title: 920430-10
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -180,5 +157,5 @@
uri: /
version: JUNK/1.0
output:
status: [403, 400]
# log_contains: id "920430"
status: [403, 400]
# log_contains: id "920430"

1
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
View file

@ -26,7 +26,6 @@ tests:
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-2
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:

201
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml
View file

@ -1,59 +1,50 @@
---
meta:
author: "csanders-git, karelorigin"
enabled: true
name: "920450.yaml"
description: "Description"
tests:
-
test_title: 920450-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-range: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
If: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
lock-token: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-4
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
stages:
-
stage:
meta:
author: "csanders-git, karelorigin"
enabled: true
name: "920450.yaml"
description: "Description"
tests:
- test_title: 920450-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-range: "test"
output:
log_contains: "id \"920450\""
- test_title: 920450-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
If: "test"
output:
log_contains: "id \"920450\""
- test_title: 920450-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
lock-token: "test"
output:
log_contains: "id \"920450\""
- test_title: 920450-4
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -70,13 +61,10 @@
version: HTTP/1.1
output:
no_log_contains: id "920450"
-
test_title: 920450-5
desc: HTTP header is restricted by policy (920450) from old modsec regressions
stages:
-
stage:
- test_title: 920450-5
desc: HTTP header is restricted by policy (920450) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -94,52 +82,43 @@
version: HTTP/1.1
output:
log_contains: id "920450"
-
test_title: 920450-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "test"
output:
no_log_contains: "id \"920450\""
-
test_title: 920450-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Accept-Charset: UTF-8
output:
log_contains: "id \"920450\""
-
test_title: 920450-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Content-Encoding: deflate
output:
log_contains: "id \"920450\""
- test_title: 920450-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "test"
output:
no_log_contains: "id \"920450\""
- test_title: 920450-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Accept-Charset: UTF-8
output:
log_contains: "id \"920450\""
- test_title: 920450-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Content-Encoding: deflate
output:
log_contains: "id \"920450\""

154
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml
View file

@ -1,83 +1,73 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920460.yaml"
description: "Description"
tests:
-
test_title: 920460-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 22
Content-Type: "application/x-www-form-urlencoded"
User-Agent: "ModSecurity CRS 3 Tests"
data: 'file=cat+/etc/\passw\d'
stop_magic: true
output:
log_contains: "id \"920460\""
-
test_title: 920460-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=cat+/etc/pa\\ssw\\d"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
-
test_title: 920460-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
-
test_title: 920460-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""
-
test_title: 920460-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""
meta:
author: "csanders-git"
enabled: true
name: "920460.yaml"
description: "Description"
tests:
- test_title: 920460-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 22
Content-Type: "application/x-www-form-urlencoded"
User-Agent: "ModSecurity CRS 3 Tests"
data: 'file=cat+/etc/\passw\d'
stop_magic: true
output:
log_contains: "id \"920460\""
- test_title: 920460-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=cat+/etc/pa\\ssw\\d"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
- test_title: 920460-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
- test_title: 920460-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""
- test_title: 920460-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""

396
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
View file

@ -1,199 +1,199 @@
---
meta:
author: "lifeforms, Franziska Bühler"
enabled: true
name: "920470.yaml"
description: "Content-Type header format checks"
tests:
- test_title: 920470-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl"
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"; garbage'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=/gar/bage'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "text/plain"
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=UTF-8'
output:
no_log_contains: "id \"920470\""
- test_title: 920470-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundary12345'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-8
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/json'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-9
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-10
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary=-----boundary_data:55780(123,45:667)+part'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-11
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary= gc0p4Jq0M2Yt,08/jU534c0p?==:test'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-12
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary= test_data_123456'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-13
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-14
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
meta:
author: "lifeforms, Franziska Bühler"
enabled: true
name: "920470.yaml"
description: "Content-Type header format checks"
tests:
- test_title: 920470-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl"
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"; garbage'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=/gar/bage'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "text/plain"
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=UTF-8'
output:
no_log_contains: "id \"920470\""
- test_title: 920470-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundary12345'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-8
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/json'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-9
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-10
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary=-----boundary_data:55780(123,45:667)+part'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-11
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary= gc0p4Jq0M2Yt,08/jU534c0p?==:test'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-12
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary= test_data_123456'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-13
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-14
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8'
Content-Length: 0
output:
no_log_contains: "id \"920470\""

478
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml
View file

@ -1,240 +1,240 @@
---
meta:
author: "lifeforms"
enabled: true
name: "920480.yaml"
description: "Description"
tests:
- test_title: 920480-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=UTF-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=iso-8859-1"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=ISO-8859-15"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=windows-1252"
data: "test=value"
output:
no_log_contains: "id \"920480\""
# TODO: this case is not yet handled by 3.1, future work
# - test_title: 920480-6
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=UTF-80" #trailing garbage after 'UTF-8'
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
- test_title: 920480-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-9
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-10
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded;charset=ibm038"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-12
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=utf-8;charset=ibm037" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-13
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037;charset=UTF-8" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-14
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\""
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-15
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset='utf-8'"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-16
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\""
data: "test=value"
output:
log_contains: "id \"920480\""
meta:
author: "lifeforms"
enabled: true
name: "920480.yaml"
description: "Description"
tests:
- test_title: 920480-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=UTF-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=iso-8859-1"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=ISO-8859-15"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=windows-1252"
data: "test=value"
output:
no_log_contains: "id \"920480\""
# TODO: this case is not yet handled by 3.1, future work
# - test_title: 920480-6
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=UTF-80" #trailing garbage after 'UTF-8'
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
- test_title: 920480-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-9
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-10
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded;charset=ibm038"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-12
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=utf-8;charset=ibm037" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-13
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037;charset=UTF-8" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-14
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\""
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-15
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset='utf-8'"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-16
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\""
data: "test=value"
output:
log_contains: "id \"920480\""

100
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml
View file

@ -1,51 +1,51 @@
---
meta:
author: "Christian Folini"
enabled: true
name: "920490.yaml"
description: "Tests for the charset protection in combination with the x-up-devcap-post-charset header"
tests:
- test_title: 920490-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
log_contains: "id \"920490\""
- test_title: 920490-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""
- test_title: 920490-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""
meta:
author: "Christian Folini"
enabled: true
name: "920490.yaml"
description: "Tests for the charset protection in combination with the x-up-devcap-post-charset header"
tests:
- test_title: 920490-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
log_contains: "id \"920490\""
- test_title: 920490-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""
- test_title: 920490-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""

96
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml
View file

@ -1,49 +1,49 @@
---
meta:
author: "Andrea Menin"
enabled: true
name: "920500.yaml"
description: "Tests for backup or working file extensions"
tests:
- test_title: 920500-1
desc: "Check request filename ends with ~"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-2
desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~/foo/bar/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-3
desc: "Rules 920500 should not block user dir such as /~user/"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/~user/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920500\""
meta:
author: "Andrea Menin"
enabled: true
name: "920500.yaml"
description: "Tests for backup or working file extensions"
tests:
- test_title: 920500-1
desc: "Check request filename ends with ~"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-2
desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~/foo/bar/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-3
desc: "Rules 920500 should not block user dir such as /~user/"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/~user/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920500\""

192
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml
View file

@ -1,97 +1,97 @@
---
meta:
author: "Andrea Menin"
enabled: true
name: "920510.yaml"
description: "Cache-Control directives whitelist"
tests:
- test_title: 920510-1
desc: "block request with a response cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "private"
output:
log_contains: "id \"920510\""
- test_title: 920510-2
desc: "block request with an invalid cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-3
desc: "block request with an invalid cache-control directive in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1, foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-4
desc: "block request with an invalid cache-control syntax in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1,,,max-stale=2"
output:
log_contains: "id \"920510\""
- test_title: 920510-5
desc: "allow request with valid cache-control single directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "no-cache"
output:
no_log_contains: "id \"920510\""
- test_title: 920510-6
desc: "allow request with valid cache-control multiple directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=123, max-stale, no-cache"
output:
no_log_contains: "id \"920510\""
meta:
author: "Andrea Menin"
enabled: true
name: "920510.yaml"
description: "Cache-Control directives whitelist"
tests:
- test_title: 920510-1
desc: "block request with a response cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "private"
output:
log_contains: "id \"920510\""
- test_title: 920510-2
desc: "block request with an invalid cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-3
desc: "block request with an invalid cache-control directive in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1, foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-4
desc: "block request with an invalid cache-control syntax in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1,,,max-stale=2"
output:
log_contains: "id \"920510\""
- test_title: 920510-5
desc: "allow request with valid cache-control single directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "no-cache"
output:
no_log_contains: "id \"920510\""
- test_title: 920510-6
desc: "allow request with valid cache-control multiple directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=123, max-stale, no-cache"
output:
no_log_contains: "id \"920510\""

17
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml Normal file
View file

@ -0,0 +1,17 @@
---
meta:
author: "Andrea (theMiddle) Menin"
enabled: false
name: "920620.yaml"
description: "Tests for 920620"
tests:
- test_title: 920620-1
desc: Multiple Content-Type request headers
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg=="
output:
log_contains: "id \"920620\""

242
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
View file

@ -1,146 +1,130 @@
---
meta:
author: "Christian S.J. Peron, Franziska Bühler"
description: None
enabled: true
name: 921110.yaml
tests:
-
test_title: 921110-1
meta:
author: "Christian S.J. Peron, Franziska Bühler"
description: None
enabled: true
name: 921110.yaml
tests:
- test_title: 921110-1
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=%0aPOST / HTTP/1.0"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-2
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=%0aPOST / HTTP/1.0"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-2
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0aGET+/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-3
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0aGET+/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-3
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-4
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-4
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+/foo%0d"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-5
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+/foo%0d"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-5
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+foo+bar"
version: HTTP/1.0
output:
no_log_contains: id "921110"
-
test_title: 921110-6
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+foo+bar"
version: HTTP/1.0
output:
no_log_contains: id "921110"
- test_title: 921110-6
desc: HTTP Request Smuggling bypass with Content-Type text/plain
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: text/plain
Content-Length: 36
method: POST
port: 80
uri: /
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
output:
log_contains: id "921110"
-
test_title: 921110-7
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: text/plain
Content-Length: 36
method: POST
port: 80
uri: /
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
output:
log_contains: id "921110"
- test_title: 921110-7
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921110"
-
test_title: 921110-8
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921110"
- test_title: 921110-8
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921110"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921110"

118
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml
View file

@ -1,70 +1,62 @@
---
meta:
author: csanders-git, Franziska Bühler
description: None
enabled: true
name: 921120.yaml
tests:
-
test_title: 921120-1
meta:
author: csanders-git, Franziska Bühler
description: None
enabled: true
name: 921120.yaml
tests:
- test_title: 921120-1
desc: HTTP response splitting (921120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
version: HTTP/1.1
output:
log_contains: id "921120"
-
test_title: 921120-2
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
version: HTTP/1.1
output:
log_contains: id "921120"
- test_title: 921120-2
desc: "HTTP Response splitting attack"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=foobar%0d%0aContent-Length:%2002343432423<html>ftw</html>"
version: HTTP/1.1
output:
log_contains: id "921120"
-
test_title: 921120-3
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=foobar%0d%0aContent-Length:%2002343432423<html>ftw</html>"
version: HTTP/1.1
output:
log_contains: id "921120"
- test_title: 921120-3
desc: "Fix FP issue 1615. Header followed by word chars."
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
version: HTTP/1.1
output:
no_log_contains: id "921120"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
version: HTTP/1.1
output:
no_log_contains: id "921120"

138
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml
View file

@ -1,83 +1,73 @@
---
meta:
author: "csanders-git, Franziska Bühler"
description: None
enabled: true
name: 921130.yaml
tests:
-
test_title: 921130-1
meta:
author: "csanders-git, Franziska Bühler"
description: None
enabled: true
name: 921130.yaml
tests:
- test_title: 921130-1
desc: HTTP response splitting (921130) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E
version: HTTP/1.1
output:
log_contains: id "921130"
-
test_title: 921130-2
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E
version: HTTP/1.1
output:
log_contains: id "921130"
- test_title: 921130-2
desc: "HTTP Response splitting attack: cookie data"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cookie: "oreo=munchmuch%0d%0a%0d%0a<HTML><title></title></HTML>"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/"
output:
log_contains: id "921130"
-
test_title: 921130-3
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cookie: "oreo=munchmuch%0d%0a%0d%0a<HTML><title></title></HTML>"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/"
output:
log_contains: id "921130"
- test_title: 921130-3
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921130"
-
test_title: 921130-4
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921130"
- test_title: 921130-4
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921130"
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921130"

74
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml
View file

@ -1,40 +1,36 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921140.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921140-1
desc: "HTTP Header Injection Attack via headers"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
uri: "/"
output:
status: 400
no_log_contains: "id:921140"
-
test_title: 921140-2
desc: "HTTP Header Injection Attack via headers"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata%0dInjectedHeader: response_splitting_code"
uri: "/"
output:
no_log_contains: "id:921140"
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921140.yaml"
description: "Tests for protocol based attacks"
tests:
- test_title: 921140-1
desc: "HTTP Header Injection Attack via headers"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
uri: "/"
output:
status: [400]
no_log_contains: "id:921140"
- test_title: 921140-2
desc: "HTTP Header Injection Attack via headers"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata%0dInjectedHeader: response_splitting_code"
uri: "/"
output:
no_log_contains: "id:921140"

42
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml
View file

@ -1,23 +1,21 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921150.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921150-1
desc: "HTTP Header Injection Attack via payload"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script.jsp?variableX=bar&variable2=Y&%0d%0restofdata"
output:
log_contains: "id \"921150\""
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921150.yaml"
description: "Tests for protocol based attacks"
tests:
- test_title: 921150-1
desc: "HTTP Header Injection Attack via payload"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script.jsp?variableX=bar&variable2=Y&%0d%0restofdata"
output:
log_contains: "id \"921150\""

162
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml
View file

@ -1,87 +1,77 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921160.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921160-1
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-2
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-3
desc: "HTTP Header Injection Attack via payload: w/header"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-4
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-5
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&%0d%0aRemote-addr:%20foo.bar.com=Y"
output:
log_contains: id "921160"
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921160.yaml"
description: "Tests for protocol based attacks"
tests:
- test_title: 921160-1
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-2
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-3
desc: "HTTP Header Injection Attack via payload: w/header"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-4
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-5
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&%0d%0aRemote-addr:%20foo.bar.com=Y"
output:
log_contains: id "921160"

104
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml
View file

@ -1,63 +1,59 @@
---
meta:
author: "Andrea Menin (theMiddle)"
description: "HTTP Splitting"
enabled: true
name: 921190.yaml
tests:
-
test_title: 921190-1
meta:
author: "Andrea Menin (theMiddle)"
description: "HTTP Splitting"
enabled: true
name: 921190.yaml
tests:
- test_title: 921190-1
desc: "New line char in request filename (1)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0Abar"
output:
log_contains: id "921190"
-
test_title: 921190-2
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0Abar"
output:
log_contains: id "921190"
- test_title: 921190-2
desc: "New line char in request filename (2)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0abar"
output:
log_contains: id "921190"
-
test_title: 921190-3
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0abar"
output:
log_contains: id "921190"
- test_title: 921190-3
desc: "FastCGI variable injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP%0Ainfo.php?QQQ"
output:
log_contains: id "921190"
-
test_title: 921190-4
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP%0Ainfo.php?QQQ"
output:
log_contains: id "921190"
- test_title: 921190-4
desc: "PHP Settings injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQ"
output:
log_contains: id "921190"
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQ"
output:
log_contains: id "921190"

282
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml
View file

@ -1,167 +1,157 @@
---
meta:
author: "Christian Folini"
description: "LDAP injection"
enabled: true
name: 921200.yaml
tests:
-
test_title: 921200-1
meta:
author: "Christian Folini"
description: "LDAP injection"
enabled: true
name: 921200.yaml
tests:
- test_title: 921200-1
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-2
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
uri: "/"
output:
no_log_contains: id "921200"
- test_title: 921200-2
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-3
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
uri: "/"
output:
no_log_contains: id "921200"
- test_title: 921200-3
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-4
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
uri: "/"
output:
no_log_contains: id "921200"
- test_title: 921200-4
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=bar)(%26)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-5
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=bar)(%26)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-5
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=printer)(uid=*)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-6
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=printer)(uid=*)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-6
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-7
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-7
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=eb9adbd87d)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-8
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=eb9adbd87d)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-8
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-9
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-9
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)(uid=*))(|(uid=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-10
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)(uid=*))(|(uid=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-10
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=aaa*aaa)(cn>=bob)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=aaa*aaa)(cn>=bob)"
uri: "/"
port: 80
output:
log_contains: id "921200"

42
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml
View file

@ -1,23 +1,21 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "930100.yaml"
description: "Application attack LFI"
tests:
-
test_title: 930100-1
desc: "Path Traversal Attack (/../) encoded"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
FoobarHeader: "0x5c0x2e.%00/"
uri: "/"
output:
log_contains: id "930100"
meta:
author: "Christian S.J. Peron"
enabled: true
name: "930100.yaml"
description: "Application attack LFI"
tests:
- test_title: 930100-1
desc: "Path Traversal Attack (/../) encoded"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
FoobarHeader: "0x5c0x2e.%00/"
uri: "/"
output:
log_contains: id "930100"

Some files were not shown because too many files have changed in this diff Show more