mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
Merge pull request #629 from bunkerity/dev
Update coreruleset to version 3.3.5 and Fix permissions with folders in linux integrations
This commit is contained in:
commit
5811dc549c
218 changed files with 41975 additions and 47151 deletions
|
@ -8,11 +8,13 @@
|
|||
- [BUGFIX] Fix logs page not working in UI on Linux integrations
|
||||
- [BUGFIX] Fix settings regex that had issues in general and with the UI
|
||||
- [BUGFIX] Fix scheduler error with external plugins when reloading
|
||||
- [BUGFIX] Fix permissions with folders in linux integrations
|
||||
- [MISC] Push Docker images to GitHub packages (ghcr.io repository)
|
||||
- [MISC] Improved CI/CD
|
||||
- [MISC] Updated python dependencies
|
||||
- [MISC] Updated Python Docker image to 3.11.5-alpine in Dockerfiles
|
||||
- [MISC] Add support for ModSecurity JSON LogFormat
|
||||
- [MISC] Updated OWASP coreruleset to 3.3.5
|
||||
|
||||
## v1.5.1 - 2023/08/08
|
||||
|
||||
|
|
|
@ -14,44 +14,32 @@ on:
|
|||
- '.github/**'
|
||||
|
||||
jobs:
|
||||
# "modsec2-apache", "modsec3-apache", "modsec3-nginx"
|
||||
regression:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
# change to true
|
||||
fail-fast: false
|
||||
matrix:
|
||||
modsec_version: [modsec2-apache]
|
||||
steps:
|
||||
- name: "Checkout repo"
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Set up Python 3
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
- uses: actions/cache@v2
|
||||
id: cache
|
||||
with:
|
||||
path: ~/.cache/pip
|
||||
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-pip-
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: "Install dependencies"
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
GO_FTW_VERSION: '0.4.6'
|
||||
run: |
|
||||
pip install --upgrade setuptools wheel
|
||||
pip install -r tests/regression/requirements.txt
|
||||
pip install pytest-github-actions-annotate-failures
|
||||
gh release download -R coreruleset/go-ftw v${GO_FTW_VERSION} -p "ftw_${GO_FTW_VERSION}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
|
||||
|
||||
- name: "Run tests for ${{ matrix.modsec_version }}"
|
||||
run: |
|
||||
mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}
|
||||
docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
|
||||
# Use mounted volume path
|
||||
py.test -vs --tb=short tests/regression/CRS_Tests.py \
|
||||
--config="${{ matrix.modsec_version }}" \
|
||||
--ruledir_recurse=./tests/regression/tests/
|
||||
docker-compose -f ./tests/docker-compose.yml logs
|
||||
[ $(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}') = 'true' ]
|
||||
./ftw check -d tests/regression/tests
|
||||
./ftw run -d tests/regression/tests --show-failures-only
|
||||
env:
|
||||
FTW_LOGFILE: './tests/logs/modsec2-apache/error.log'
|
||||
|
||||
- name: "Change permissions if failed"
|
||||
if: failure()
|
||||
|
|
|
@ -15,4 +15,6 @@ rules:
|
|||
# don't bother me with this rule
|
||||
indentation: disable
|
||||
|
||||
comments: {require-starting-space: false}
|
||||
comments:
|
||||
require-starting-space: true # default
|
||||
min-spaces-from-content: 1
|
||||
|
|
File diff suppressed because it is too large
Load diff
1499
src/common/core/modsecurity/files/coreruleset/CHANGES.md
Normal file
1499
src/common/core/modsecurity/files/coreruleset/CHANGES.md
Normal file
File diff suppressed because it is too large
Load diff
|
@ -1,35 +1,4 @@
|
|||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
See policy here: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/SECURITY.md
|
||||
|
||||
OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.).
|
||||
For more information see our [wiki](https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy).
|
||||
The OWASP CRS officially supports the two point releases with security patching preceding the current major release .
|
||||
We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these.
|
||||
Along those lines, OWASP CRS team may not issue security notifications for unsupported software.
|
||||
|
||||
| Version | Supported |
|
||||
| --------- | ------------------ |
|
||||
| 3.3.x-dev | :white_check_mark: |
|
||||
| 3.2.x | :white_check_mark: |
|
||||
| 3.1.x | :white_check_mark: |
|
||||
| 3.0.x | :x: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users.
|
||||
We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
|
||||
Submit these types of non-vulnerability related issues via Github.
|
||||
Please include your installed version and the relevant portions of your audit log.
|
||||
False negative or common bypasses should [create an issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/new) so they can be addressed.
|
||||
|
||||
Do this before submitting a vulnerability using our email:
|
||||
1) Verify that you have the latest version of OWASP CRS.
|
||||
2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email.
|
||||
3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email.
|
||||
|
||||
Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using [this key](https://coreruleset.org/security.asc), (fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`).
|
||||
|
||||
We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested.
|
||||
|
||||
If in doubt, feel free to reach out to us!
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
## GOLD SPONSORS
|
||||
|
||||
* VMWare (Avi Networks)
|
||||
* F5/NGINX
|
||||
* Edgio
|
||||
* Google
|
||||
* Microsoft
|
||||
* Nginx (Part of F5)
|
||||
* United Security Providers
|
||||
* VMWare
|
||||
|
||||
## SILVER SPONSORS
|
||||
|
||||
* Bug Bounty Switzerland
|
||||
* Google Cloud Armor
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -863,7 +863,7 @@ SecCollectionTimeout 600
|
|||
SecAction \
|
||||
"id:900990,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_setup_version=334"
|
||||
nolog,\
|
||||
setvar:tx.crs_setup_version=335"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -26,7 +26,7 @@
|
|||
#
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
|
||||
#
|
||||
SecComponentSignature "OWASP_CRS/3.3.4"
|
||||
SecComponentSignature "OWASP_CRS/3.3.5"
|
||||
|
||||
#
|
||||
# -=[ Default setup values ]=-
|
||||
|
@ -59,7 +59,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
|
|||
log,\
|
||||
auditlog,\
|
||||
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL'"
|
||||
|
||||
|
||||
|
@ -77,7 +77,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.inbound_anomaly_score_threshold=5'"
|
||||
|
||||
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
|
||||
|
@ -86,7 +86,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.outbound_anomaly_score_threshold=4'"
|
||||
|
||||
# Default Paranoia Level (rule 900000 in setup.conf)
|
||||
|
@ -95,7 +95,7 @@ SecRule &TX:paranoia_level "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.paranoia_level=1'"
|
||||
|
||||
# Default Executing Paranoia Level (rule 900000 in setup.conf)
|
||||
|
@ -104,7 +104,7 @@ SecRule &TX:executing_paranoia_level "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
|
||||
|
||||
# Default Sampling Percentage (rule 900400 in setup.conf)
|
||||
|
@ -113,7 +113,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.sampling_percentage=100'"
|
||||
|
||||
# Default Anomaly Scores (rule 900100 in setup.conf)
|
||||
|
@ -122,7 +122,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.critical_anomaly_score=5'"
|
||||
|
||||
SecRule &TX:error_anomaly_score "@eq 0" \
|
||||
|
@ -130,7 +130,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.error_anomaly_score=4'"
|
||||
|
||||
SecRule &TX:warning_anomaly_score "@eq 0" \
|
||||
|
@ -138,7 +138,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.warning_anomaly_score=3'"
|
||||
|
||||
SecRule &TX:notice_anomaly_score "@eq 0" \
|
||||
|
@ -146,7 +146,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.notice_anomaly_score=2'"
|
||||
|
||||
# Default do_reput_block
|
||||
|
@ -155,7 +155,7 @@ SecRule &TX:do_reput_block "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.do_reput_block=0'"
|
||||
|
||||
# Default block duration
|
||||
|
@ -164,7 +164,7 @@ SecRule &TX:reput_block_duration "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.reput_block_duration=300'"
|
||||
|
||||
# Default HTTP policy: allowed_methods (rule 900200)
|
||||
|
@ -173,7 +173,7 @@ SecRule &TX:allowed_methods "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type (rule 900220)
|
||||
|
@ -182,7 +182,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
|
||||
|
@ -191,7 +191,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
|
||||
|
||||
# Default HTTP policy: allowed_http_versions (rule 900230)
|
||||
|
@ -200,7 +200,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
|
||||
|
||||
# Default HTTP policy: restricted_extensions (rule 900240)
|
||||
|
@ -209,7 +209,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Default HTTP policy: restricted_headers (rule 900250)
|
||||
|
@ -218,7 +218,7 @@ SecRule &TX:restricted_headers "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
|
||||
|
||||
# Default HTTP policy: static_extensions (rule 900260)
|
||||
|
@ -227,7 +227,7 @@ SecRule &TX:static_extensions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
|
||||
|
||||
# Default enforcing of body processor URLENCODED
|
||||
|
@ -236,9 +236,27 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.enforce_bodyproc_urlencoded=0'"
|
||||
|
||||
# Default check for UTF8 encoding validation
|
||||
SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
|
||||
"id:901169,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.crs_validate_utf8_encoding=0'"
|
||||
|
||||
# Default monitor_anomaly_score value
|
||||
SecRule &TX:monitor_anomaly_score "@eq 0" \
|
||||
"id:901170,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.monitor_anomaly_score=0'"
|
||||
|
||||
#
|
||||
# -=[ Initialize internal variables ]=-
|
||||
#
|
||||
|
@ -254,7 +272,7 @@ SecAction \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.anomaly_score=0',\
|
||||
setvar:'tx.anomaly_score_pl1=0',\
|
||||
setvar:'tx.anomaly_score_pl2=0',\
|
||||
|
@ -291,7 +309,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
|
|||
pass,\
|
||||
t:none,t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
|
||||
|
||||
SecAction \
|
||||
|
@ -300,7 +318,7 @@ SecAction \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
initcol:global=global,\
|
||||
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
|
||||
setvar:'tx.real_ip=%{remote_addr}'"
|
||||
|
@ -319,9 +337,8 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
|||
nolog,\
|
||||
noauditlog,\
|
||||
msg:'Enabling body inspection',\
|
||||
tag:'paranoia-level/1',\
|
||||
ctl:forceRequestBodyVariable=On,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Force body processor URLENCODED
|
||||
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
||||
|
@ -332,7 +349,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
|||
nolog,\
|
||||
noauditlog,\
|
||||
msg:'Enabling forced body inspection for ASCII content',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
||||
"ctl:requestBodyProcessor=URLENCODED"
|
||||
|
@ -371,7 +388,7 @@ SecRule TX:sampling_percentage "@eq 100" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-SAMPLING"
|
||||
|
||||
SecRule UNIQUE_ID "@rx ^." \
|
||||
|
@ -380,7 +397,7 @@ SecRule UNIQUE_ID "@rx ^." \
|
|||
pass,\
|
||||
t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
|
||||
|
||||
SecRule DURATION "@rx (..)$" \
|
||||
|
@ -389,7 +406,7 @@ SecRule DURATION "@rx (..)$" \
|
|||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
|
||||
|
||||
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
||||
|
@ -398,7 +415,7 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
|||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
|
||||
|
||||
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
|
||||
|
@ -407,7 +424,7 @@ SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
|
|||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}'"
|
||||
|
||||
|
||||
|
@ -432,7 +449,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
|
|||
noauditlog,\
|
||||
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
|
||||
ctl:ruleEngine=Off,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecMarker "END-SAMPLING"
|
||||
|
||||
|
@ -450,4 +467,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
|
|||
t:none,\
|
||||
log,\
|
||||
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -69,7 +69,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
||||
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
||||
|
@ -78,7 +78,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
||||
|
||||
|
@ -116,7 +116,7 @@ SecAction "id:9001100,\
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
|
||||
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -131,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
||||
"id:9001112,\
|
||||
|
@ -140,7 +140,7 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
|
||||
"id:9001114,\
|
||||
|
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
|
||||
"id:9001116,\
|
||||
|
@ -159,7 +159,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -179,7 +179,7 @@ SecRule REQUEST_FILENAME "@contains /admin/config/" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=942430,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
|
||||
"id:9001124,\
|
||||
|
@ -196,7 +196,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
|
||||
"id:9001126,\
|
||||
|
@ -205,7 +205,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/sing
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=920271,\
|
||||
ctl:ruleRemoveById=942440,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001128,\
|
||||
|
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=942440,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -230,7 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:ids[],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -249,7 +249,7 @@ SecAction "id:9001160,\
|
|||
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
|
||||
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
|
||||
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -266,7 +266,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -350,7 +350,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
||||
"id:9001202,\
|
||||
|
@ -359,7 +359,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
||||
"id:9001204,\
|
||||
|
@ -369,7 +369,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ctl:ruleRemoveTargetById=932110;ARGS:destination,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /block/add" \
|
||||
"id:9001206,\
|
||||
|
@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
|
||||
"id:9001208,\
|
||||
|
@ -385,7 +385,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
|
||||
"id:9001210,\
|
||||
|
@ -393,7 +393,7 @@ SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
|
||||
"id:9001212,\
|
||||
|
@ -401,7 +401,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001214,\
|
||||
|
@ -409,7 +409,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
|
||||
"id:9001216,\
|
||||
|
@ -417,7 +417,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -23,7 +23,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-WORDPRESS"
|
||||
|
||||
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
||||
|
@ -32,7 +32,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-WORDPRESS"
|
||||
|
||||
|
||||
|
@ -53,7 +53,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Reset password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
|
@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq resetpass" \
|
||||
"t:none,\
|
||||
|
@ -86,7 +86,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Gutenberg via rest_route for sites without pretty permalinks
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
||||
|
@ -112,7 +112,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &ARGS:rest_route "@eq 1" \
|
||||
"t:none,\
|
||||
|
@ -132,7 +132,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=200002,\
|
||||
ctl:ruleRemoveById=200003,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Gutenberg upload image/media via rest_route for sites without pretty permalinks
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
||||
|
@ -141,7 +141,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &ARGS:rest_route "@eq 1" \
|
||||
"t:none,\
|
||||
|
@ -170,7 +170,7 @@ SecRule ARGS:wp_customize "@streq on" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 0" \
|
||||
"t:none,\
|
||||
|
@ -191,7 +191,7 @@ SecRule ARGS:wp_customize "@streq on" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
|
||||
"t:none,\
|
||||
|
@ -232,7 +232,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=920180,\
|
||||
ctl:ruleRemoveById=920300,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -247,7 +247,7 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
|
||||
"t:none,\
|
||||
|
@ -266,7 +266,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-WORDPRESS-ADMIN"
|
||||
|
||||
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
||||
|
@ -275,7 +275,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-WORDPRESS-ADMIN"
|
||||
|
||||
|
||||
|
@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:step "@streq 2" \
|
||||
"t:none,\
|
||||
|
@ -306,7 +306,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:step "@streq 2" \
|
||||
"t:none,\
|
||||
|
@ -329,7 +329,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
|
@ -357,7 +357,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
|
@ -386,7 +386,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq createuser" \
|
||||
"t:none,\
|
||||
|
@ -427,7 +427,7 @@ SecAction \
|
|||
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
#
|
||||
# [ Content editing ]
|
||||
|
@ -444,7 +444,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
|
||||
"t:none,\
|
||||
|
@ -464,7 +464,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq heartbeat" \
|
||||
"t:none,\
|
||||
|
@ -486,7 +486,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
|
@ -511,7 +511,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
|
||||
"t:none,\
|
||||
|
@ -566,7 +566,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq widgets-order" \
|
||||
"t:none,\
|
||||
|
@ -595,7 +595,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq sample-permalink" \
|
||||
"t:none,\
|
||||
|
@ -611,7 +611,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq add-menu-item" \
|
||||
"t:none,\
|
||||
|
@ -627,7 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq send-attachment-to-editor" \
|
||||
"t:none,\
|
||||
|
@ -648,7 +648,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:option_page "@streq general" \
|
||||
"t:none,\
|
||||
|
@ -679,7 +679,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
|
|||
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Comments blacklist and moderation list
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
||||
|
@ -688,7 +688,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:option_page "@streq discussion" \
|
||||
"t:none,\
|
||||
|
@ -712,7 +712,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -751,7 +751,7 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
|
|||
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942432;ARGS:load[],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
SecMarker "END-WORDPRESS-ADMIN"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -44,7 +44,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-NEXTCLOUD"
|
||||
|
||||
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
||||
|
@ -53,7 +53,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-NEXTCLOUD"
|
||||
|
||||
|
||||
|
@ -75,7 +75,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
|
|||
ctl:ruleRemoveById=953100-953130,\
|
||||
ctl:ruleRemoveById=920420,\
|
||||
ctl:ruleRemoveById=920440,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
|
||||
|
||||
|
@ -85,7 +85,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
|
||||
"t:none,\
|
||||
|
@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
|
||||
|
||||
# Allow the data type 'application/octet-stream'
|
||||
|
@ -114,7 +114,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
|
||||
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
|
||||
|
@ -127,7 +127,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
|
||||
"ctl:ruleRemoveById=920340,\
|
||||
|
@ -148,7 +148,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
|
|||
ctl:ruleRemoveById=951000-951999,\
|
||||
ctl:ruleRemoveById=953100-953130,\
|
||||
ctl:ruleRemoveById=920440,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Allow REPORT requests without Content-Type header (at least the iOS app does this)
|
||||
|
||||
|
@ -177,7 +177,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
|
|||
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
|
||||
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
|
||||
ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
# [ DAV ]
|
||||
|
@ -199,7 +199,7 @@ SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
|
||||
|
||||
|
||||
|
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
|
||||
|
||||
|
||||
|
@ -226,7 +226,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:file,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Filepreview for trashbin
|
||||
|
||||
|
@ -238,7 +238,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:file,\
|
||||
ctl:ruleRemoveTargetById=942190;ARGS:file,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
|
||||
"id:9003160,\
|
||||
|
@ -247,7 +247,7 @@ SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
# [ Ownnote ]
|
||||
|
@ -259,7 +259,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=941150,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
# [ Text Editor ]
|
||||
|
@ -277,7 +277,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
|
|||
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
# [ Address Book ]
|
||||
|
@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
|
||||
|
||||
# Allow modifying contacts via the web interface
|
||||
|
@ -316,7 +316,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
|
||||
|
||||
# Allow modifying calendar events via the web interface
|
||||
|
@ -344,7 +344,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveByTag=attack-injection-php,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
# [ Bookmarks ]
|
||||
|
@ -358,7 +358,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=931130,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Reset password.
|
||||
|
||||
|
@ -387,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq resetpass" \
|
||||
"t:none,\
|
||||
|
@ -408,7 +408,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
SecMarker "END-NEXTCLOUD-ADMIN"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DOKUWIKI"
|
||||
|
||||
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
||||
|
@ -36,7 +36,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DOKUWIKI"
|
||||
|
||||
|
||||
|
@ -81,7 +81,7 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
|
@ -106,7 +106,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
|
@ -125,7 +125,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq index" \
|
||||
"t:none,\
|
||||
|
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
|
@ -170,7 +170,7 @@ SecRule ARGS:do "!@streq admin" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DOKUWIKI-ADMIN"
|
||||
|
||||
SecRule ARGS:do "!@streq admin" \
|
||||
|
@ -179,7 +179,7 @@ SecRule ARGS:do "!@streq admin" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DOKUWIKI-ADMIN"
|
||||
|
||||
|
||||
|
@ -194,7 +194,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
|
@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:page "@streq config" \
|
||||
"t:none,\
|
||||
|
@ -252,7 +252,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule ARGS:page "@streq config" \
|
||||
"t:none,\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -19,7 +19,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-CPANEL"
|
||||
|
||||
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
||||
|
@ -28,7 +28,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-CPANEL"
|
||||
|
||||
|
||||
|
@ -53,7 +53,7 @@ SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$
|
|||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -18,7 +18,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-XENFORO"
|
||||
|
||||
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
||||
|
@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-XENFORO"
|
||||
|
||||
|
||||
|
@ -49,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
|
||||
ctl:ruleRemoveTargetById=942230;ARGS:referrer,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Store drafts for private message, forum post, thread reply
|
||||
# POST /xf/conversations/draft
|
||||
|
@ -73,7 +73,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Send PM, edit post, create thread, reply to thread
|
||||
# POST /xf/conversations/add
|
||||
|
@ -100,7 +100,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/m
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Quote
|
||||
# POST /xf/posts/12345/quote
|
||||
|
@ -111,7 +111,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Multi quote
|
||||
# POST /xf/conversations/convo-title.12345/multi-quote
|
||||
|
@ -134,7 +134,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Delete thread
|
||||
# POST /xf/threads/thread-title.12345/delete
|
||||
|
@ -145,7 +145,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Feature thread
|
||||
# POST /xf/threads/thread-title.12345/feature-edit
|
||||
|
@ -167,7 +167,7 @@ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Warn member
|
||||
# POST /xf/members/name.12345/warn
|
||||
|
@ -180,7 +180,7 @@ SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Editor
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
|
||||
|
@ -194,7 +194,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Editor
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
|
||||
|
@ -204,7 +204,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Post attachment
|
||||
# POST /xf/account/avatar
|
||||
|
@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
|
|||
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Media
|
||||
# POST /xf/index.php?editor/media
|
||||
|
@ -232,7 +232,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:url,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Emoji
|
||||
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
|
||||
|
@ -243,7 +243,7 @@ SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=921151;ARGS:q,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Login
|
||||
# POST /xf/login/login
|
||||
|
@ -254,7 +254,7 @@ SecRule REQUEST_FILENAME "@endsWith /login/login" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Register account
|
||||
# POST /xf/register/register
|
||||
|
@ -269,7 +269,7 @@ SecRule REQUEST_FILENAME "@endsWith /register/register" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Confirm account
|
||||
# GET /xf/account-confirmation/name.12345/email?c=foo
|
||||
|
@ -291,7 +291,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Lost password
|
||||
# POST /xf/lost-password/user-name.12345/confirm?c=foo
|
||||
|
@ -302,7 +302,7 @@ SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Set forum signature
|
||||
# POST /xf/account/signature
|
||||
|
@ -313,7 +313,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/signature" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Search
|
||||
# POST /xf/search/search
|
||||
|
@ -328,7 +328,7 @@ SecRule REQUEST_FILENAME "@endsWith /search/search" \
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:constraints,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Search within thread
|
||||
# GET /xf/threads/foo.12345/page12?highlight=foo
|
||||
|
@ -339,7 +339,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Search within search result
|
||||
# GET /xf/search/12345/?q=foo
|
||||
|
@ -350,7 +350,7 @@ SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Contact form
|
||||
# POST /xf/misc/contact
|
||||
|
@ -362,7 +362,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Report post
|
||||
# POST /xf/posts/12345/report
|
||||
|
@ -373,7 +373,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Alternate thread view route
|
||||
# /xf/index.php?threads/title-having-some-sql.12345/
|
||||
|
@ -388,7 +388,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq GET" \
|
||||
"t:none,\
|
||||
|
@ -412,7 +412,7 @@ SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Get location info
|
||||
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
|
||||
|
@ -422,7 +422,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
#
|
||||
# -=[ XenForo Global Exclusions ]=-
|
||||
|
@ -455,7 +455,7 @@ SecAction \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
#
|
||||
# -=[ XenForo Administration Back-End ]=-
|
||||
|
@ -469,7 +469,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-XENFORO-ADMIN"
|
||||
|
||||
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
||||
|
@ -478,7 +478,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-XENFORO-ADMIN"
|
||||
|
||||
# Admin edit user
|
||||
|
@ -491,7 +491,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Admin save user
|
||||
# POST /xf/admin.php?users/the-user-name.12345/save
|
||||
|
@ -510,7 +510,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
|
||||
# Admin edit forum notice
|
||||
|
@ -524,7 +524,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Admin batch thread update
|
||||
# POST /xf/admin.php?threads/batch-update/action
|
||||
|
@ -539,7 +539,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \
|
|||
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:criteria,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Edit forum theme
|
||||
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
|
||||
|
@ -556,7 +556,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
|
|||
ctl:ruleRemoveTargetById=942340;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:json,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Set forum options
|
||||
# POST /xf/admin.php?options/update
|
||||
|
@ -567,7 +567,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?options/update" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Edit pages/templates
|
||||
# POST /xf/admin.php?pages/0/save
|
||||
|
@ -580,7 +580,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecMarker "END-XENFORO-ADMIN"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -24,7 +24,7 @@ SecRule REQUEST_LINE "@streq GET /" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
|
@ -44,7 +44,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
|
||||
"t:none,\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -41,7 +41,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
|
||||
|
@ -71,7 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:REAL_IP "@geoLookup" \
|
||||
|
@ -124,9 +124,8 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-RBL-LOOKUP"
|
||||
|
||||
#
|
||||
|
@ -148,9 +147,8 @@ SecRule &TX:block_suspicious_ip "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule &TX:block_harvester_ip "@eq 0" \
|
||||
|
@ -170,9 +168,8 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.httpbl_msg=%{tx.0}',\
|
||||
chain"
|
||||
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
|
||||
|
@ -193,7 +190,7 @@ SecRule TX:block_search_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -217,7 +214,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -241,7 +238,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -265,7 +262,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -287,8 +284,7 @@ SecAction \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -39,7 +39,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/274',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -70,7 +70,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain,\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
SecRule &TX:dos_counter_threshold "@eq 0" \
|
||||
|
@ -83,7 +83,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain,\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
SecRule &TX:dos_counter_threshold "@eq 0" \
|
||||
|
@ -116,7 +116,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
|
||||
"setvar:'ip.dos_block_counter=+1',\
|
||||
|
@ -138,11 +138,10 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'ip.dos_block_counter=+1'"
|
||||
|
||||
|
||||
|
@ -162,9 +161,8 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'attack-dos',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
|
||||
|
||||
|
@ -181,11 +179,10 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
|
|||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.extension=/%{TX.1}/',\
|
||||
chain"
|
||||
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
|
||||
|
@ -213,11 +210,10 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
|
|||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
|
||||
"setvar:'ip.dos_burst_counter=1',\
|
||||
|
@ -234,11 +230,10 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
|
|||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
|
||||
"setvar:'ip.dos_burst_counter=2',\
|
||||
|
@ -265,7 +260,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'ip.dos_block=1',\
|
||||
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
|
||||
|
||||
|
@ -299,7 +294,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 1" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'ip.dos_block=1',\
|
||||
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -47,7 +47,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -70,7 +70,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -95,7 +95,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -135,7 +135,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
|
|||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -169,7 +169,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
|
|||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -59,7 +59,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -110,7 +110,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -139,7 +139,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -173,7 +173,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
|
||||
|
@ -198,7 +198,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
|
||||
|
@ -234,7 +234,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
|
@ -263,7 +263,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
|
|||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
|
||||
|
@ -301,7 +301,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule TX:2 "@lt %{tx.1}" \
|
||||
|
@ -334,7 +334,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -367,7 +367,7 @@ SecRule REQUEST_URI "@rx \x25" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" \
|
||||
|
@ -387,7 +387,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_BODY "@rx \x25" \
|
||||
|
@ -419,7 +419,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
|
||||
|
@ -458,7 +458,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -512,7 +512,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -544,7 +544,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
|
||||
skipAfter:END-HOST-CHECK"
|
||||
|
@ -563,7 +563,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -603,7 +603,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
@ -628,7 +628,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
@ -661,7 +661,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'NOTICE',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
|
||||
|
||||
|
@ -698,7 +698,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
|
||||
|
@ -731,7 +731,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -763,7 +763,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &ARGS "@gt %{tx.max_num_args}" \
|
||||
|
@ -788,7 +788,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
|
||||
|
@ -815,7 +815,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS "@gt %{tx.arg_length}" \
|
||||
|
@ -839,7 +839,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
|
||||
|
@ -864,7 +864,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
|
||||
|
@ -890,7 +890,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
|
||||
|
@ -928,7 +928,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -951,7 +951,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.content_type=|%{tx.0}|',\
|
||||
chain"
|
||||
|
@ -979,7 +979,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \
|
||||
|
@ -1005,7 +1005,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1027,7 +1027,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1050,7 +1050,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.extension=.%{tx.1}/',\
|
||||
chain"
|
||||
|
@ -1077,7 +1077,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1122,7 +1122,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
|
||||
chain"
|
||||
|
@ -1157,10 +1157,41 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:
|
|||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
|
||||
# Content-Type confusion poses a significant security risk to a web application. It occurs when
|
||||
# the server and client have different interpretations of the Content-Type header, leading to
|
||||
# miscommunication, potential exploitation and WAF bypass.
|
||||
#
|
||||
# Using Apache, when multiple Content-Type request headers are received, the server combines them
|
||||
# into a single header with the values separated by commas. For example, if a client sends multiple
|
||||
# Content-Type headers with values "application/json" and "text/plain", Apache will combine them
|
||||
# into a single header like this: "Content-Type: application/json, text/plain".
|
||||
#
|
||||
# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each
|
||||
# header as a separate entity without combining them. So, if a client sends multiple Content-Type
|
||||
# headers, Nginx will keep them separate, maintaining the original values.
|
||||
#
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
|
||||
"id:920620,\
|
||||
phase:1,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'Multiple Content-Type Request Headers',\
|
||||
logdata:'%{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
|
@ -1202,7 +1233,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
|
||||
|
@ -1226,7 +1257,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
|
||||
|
@ -1247,7 +1278,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/120',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -1278,7 +1309,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
|
|||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
@ -1304,7 +1335,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1331,7 +1362,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
|
|||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'NOTICE',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
|
||||
|
||||
|
@ -1353,7 +1384,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1378,7 +1409,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
|
||||
|
@ -1412,7 +1443,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1440,7 +1471,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
|
||||
|
@ -1493,7 +1524,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \
|
||||
|
@ -1524,7 +1555,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
|
||||
|
@ -1551,7 +1582,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1572,7 +1603,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1596,7 +1627,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1642,7 +1673,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/153/267',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -47,7 +47,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -80,7 +80,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -102,7 +102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -137,7 +137,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/273',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -166,7 +166,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -188,7 +188,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -214,7 +214,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -247,7 +247,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/136',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -280,7 +280,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -314,7 +314,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -350,9 +350,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|vi
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
|
@ -386,7 +386,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -418,10 +418,9 @@ SecRule ARGS_NAMES "@rx ." \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
|
||||
|
||||
SecRule TX:/paramcounter_.*/ "@gt 1" \
|
||||
|
@ -437,7 +436,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
|
||||
|
@ -63,7 +63,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
|
||||
|
@ -87,6 +87,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -42,7 +42,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -65,7 +65,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
|
@ -92,7 +92,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -119,7 +119,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -50,7 +50,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -71,7 +71,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -92,7 +92,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -120,13 +120,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
|
||||
chain"
|
||||
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
|
||||
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
"ctl:auditLogParts=+E,\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -153,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -324,7 +324,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -361,7 +361,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -407,7 +407,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -458,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -495,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -527,7 +527,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -549,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -584,7 +584,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -629,7 +629,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
|
||||
|
@ -679,7 +679,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -711,7 +711,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -60,7 +60,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -102,7 +102,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -126,12 +126,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm =" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -155,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -221,7 +221,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -343,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -399,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -455,7 +455,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -497,7 +497,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -540,12 +540,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm (" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -595,7 +595,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -641,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -684,7 +684,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -714,7 +714,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -63,7 +63,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -50,7 +50,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -77,7 +77,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -103,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -133,7 +133,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -159,7 +159,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -194,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -219,7 +219,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -245,7 +245,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -272,7 +272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -316,7 +316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -338,7 +338,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -360,7 +360,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -382,7 +382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -404,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -426,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -448,7 +448,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -470,7 +470,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -492,7 +492,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -514,7 +514,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -541,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -568,7 +568,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -610,7 +610,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -638,7 +638,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -695,7 +695,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -778,7 +778,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/242/63',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -799,7 +799,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -823,7 +823,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -856,7 +856,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/242/63',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
|
@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -120,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -149,7 +149,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -178,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -199,7 +199,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -220,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -249,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -270,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -291,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -320,7 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -341,7 +341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -370,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -399,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -439,7 +439,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -475,7 +475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -513,7 +513,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -549,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -584,7 +584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
|
@ -623,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -652,7 +652,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -684,7 +684,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -716,7 +716,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -745,7 +745,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -774,7 +774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -803,7 +803,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -840,7 +840,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -896,7 +896,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -930,7 +930,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -957,7 +957,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -984,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1014,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1051,7 +1051,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1084,7 +1084,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1117,7 +1117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1158,7 +1158,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1202,7 +1202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1227,7 +1227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1276,7 +1276,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1315,7 +1315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1339,7 +1339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1379,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1408,7 +1408,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1438,7 +1438,7 @@ SecRule ARGS "@rx \W{4}" \
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1472,7 +1472,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1522,7 +1522,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1555,7 +1555,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1584,7 +1584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -44,7 +44,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -65,15 +65,15 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
|
||||
"capture,\
|
||||
chain"
|
||||
SecRule TX:1 "!@endsWith %{request_headers.host}" \
|
||||
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
"ctl:auditLogParts=+E,\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
@ -92,12 +92,12 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
|
||||
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
"ctl:auditLogParts=+E,\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -47,7 +47,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/137/6',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -81,7 +81,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
||||
|
@ -107,7 +107,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
||||
|
@ -141,7 +141,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -180,7 +180,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -202,7 +202,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -224,7 +224,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -249,7 +249,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -285,7 +285,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -69,7 +69,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
||||
|
@ -89,7 +89,7 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -45,7 +45,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
|
|||
tag:'capec/1000/118/116/54/127',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -79,7 +79,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -111,7 +111,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -36,10 +36,9 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.sql_error_match=1'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
|
@ -57,12 +56,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -82,12 +81,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -107,12 +106,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -132,12 +131,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -157,12 +156,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -183,12 +182,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -208,12 +207,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -233,12 +232,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -259,12 +258,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -285,12 +284,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -310,12 +309,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -335,12 +334,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -360,12 +359,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -385,12 +384,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -410,12 +409,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -435,12 +434,12 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
|
||||
"capture,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -97,13 +97,13 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \
|
||||
"capture,\
|
||||
t:none,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -61,7 +61,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -87,7 +87,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -110,13 +110,13 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
|
||||
"capture,\
|
||||
t:none,\
|
||||
ctl:auditLogParts=+E,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -73,7 +73,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|||
t:none,\
|
||||
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'anomaly-evaluation',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -30,7 +30,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
|
|||
log,\
|
||||
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'EMERGENCY',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
|
@ -47,7 +47,7 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
|
|||
log,\
|
||||
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
severity:'ALERT',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
|
@ -61,7 +61,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
|
||||
|
@ -76,7 +76,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
||||
|
@ -89,7 +89,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||
"id:980140,\
|
||||
|
@ -100,7 +100,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
ver:'OWASP_CRS/3.3.5'"
|
||||
|
||||
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
|
||||
SecAction \
|
||||
|
@ -110,7 +110,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
|
||||
|
@ -125,7 +125,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
ver:'OWASP_CRS/3.3.5',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.5
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
|
|
@ -1,87 +1,75 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "911100.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 911100-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
-
|
||||
test_title: 911100-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
-
|
||||
test_title: 911100-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "HEAD"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
-
|
||||
test_title: 911100-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
-
|
||||
test_title: 911100-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "TEST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"911100\""
|
||||
-
|
||||
test_title: 911100-6
|
||||
desc: Method is not allowed by policy (911100) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "911100.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 911100-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
- test_title: 911100-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
- test_title: 911100-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "HEAD"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
- test_title: 911100-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"911100\""
|
||||
- test_title: 911100-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "TEST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"911100\""
|
||||
- test_title: 911100-6
|
||||
desc: Method is not allowed by policy (911100) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -99,13 +87,10 @@
|
|||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "911100"
|
||||
|
||||
-
|
||||
test_title: 911100-7
|
||||
desc: Method is not allowed by policy (911100) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 911100-7
|
||||
desc: Method is not allowed by policy (911100) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -123,13 +108,10 @@
|
|||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "911100"
|
||||
|
||||
-
|
||||
test_title: 911100-8
|
||||
desc: Method is not allowed by policy (911100) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 911100-8
|
||||
desc: Method is not allowed by policy (911100) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,94 +1,84 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 913100.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 913100-1
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 913100.yaml
|
||||
tests:
|
||||
- test_title: 913100-1
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
|
||||
CLR 2.0.50727) Havij
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
-
|
||||
test_title: 913100-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
- test_title: 913100-2
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Arachni/0.2.1
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
|
||||
-
|
||||
test_title: 913100-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Arachni/0.2.1
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
- test_title: 913100-3
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: w3af.sourceforge.net
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
-
|
||||
test_title: 913100-4
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: w3af.sourceforge.net
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
- test_title: 913100-4
|
||||
desc: "Scanner identification based on User-agent field"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "nessus"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "nessus"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "913100"
|
||||
|
|
|
@ -1,49 +1,43 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 913110.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 913110-1
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec
|
||||
regressions
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 913110.yaml
|
||||
tests:
|
||||
- test_title: 913110-1
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
|
||||
CLR 2.0.50727)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913110"
|
||||
-
|
||||
test_title: 913110-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913110"
|
||||
- test_title: 913110-2
|
||||
desc: "Scanner identification based on custom header"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
X-Scanner: "whatever"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "913110"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
X-Scanner: "whatever"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "913110"
|
||||
|
|
|
@ -1,63 +1,55 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 913120.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 913120-1
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec
|
||||
regressions
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 913120.yaml
|
||||
tests:
|
||||
- test_title: 913120-1
|
||||
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
|
||||
CLR 2.0.50727)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /nessustest
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913120"
|
||||
-
|
||||
test_title: 913120-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /nessustest
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913120"
|
||||
- test_title: 913120-2
|
||||
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: localhost
|
||||
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913120"
|
||||
-
|
||||
test_title: 913120-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: localhost
|
||||
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "913120"
|
||||
- test_title: 913120-3
|
||||
desc: "Scanner identification based on uri"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
version: HTTP/1.0
|
||||
uri: "/nessus_is_probing_you_"
|
||||
output:
|
||||
log_contains: id "913120"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
version: HTTP/1.0
|
||||
uri: "/nessus_is_probing_you_"
|
||||
output:
|
||||
log_contains: id "913120"
|
||||
|
|
|
@ -1,218 +1,193 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920100.yaml"
|
||||
description: "Tests to trigger, or not trigger 920100"
|
||||
tests:
|
||||
-
|
||||
# Standard GET request
|
||||
test_title: 920100-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
-
|
||||
# Request has tab (\t) before request method - Apache complains
|
||||
# AH00126: Invalid URI in request GET / HTTP/1.1
|
||||
test_title: 920100-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: " GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: 400
|
||||
-
|
||||
# Perfectly valid OPTIONS request
|
||||
test_title: 920100-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "OPTIONS"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "*"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
-
|
||||
# Valid CONNECT request however this is disabled by Apache default
|
||||
test_title: 920100-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "CONNECT"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "1.2.3.4:80"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [405, 403]
|
||||
-
|
||||
# invalid Connect request, domains require ports
|
||||
test_title: 920100-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "CONNECT"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "www.cnn.com"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: 400
|
||||
-
|
||||
# This is an acceptable CONNECT request for SSL tunneling
|
||||
test_title: 920100-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "CONNECT"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FP"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "www.cnn.com:80"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
log_contains: "id \"920100\""
|
||||
-
|
||||
# Valid request with query and anchor components
|
||||
test_title: 920100-7
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/index.html?I=Like&Apples=Today#tag"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
-
|
||||
# The colon in the path is not allowed. Apache will block by default
|
||||
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
|
||||
test_title: 920100-8
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/index.html:80?I=Like&Apples=Today#tag"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [400, 403]
|
||||
-
|
||||
# Normal Options request with path
|
||||
test_title: 920100-9
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "OPTIONS"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
-
|
||||
# An invalid method with a long name
|
||||
test_title: 920100-10
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "REALLYLONGUNREALMETHOD"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests # FN"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
log_contains: "id \"920100\""
|
||||
-
|
||||
# An invalid request because a backslash is used in uri
|
||||
# Apache will end up blocking this before it gets to CRS.
|
||||
# We will need to support OR output tests to fix this
|
||||
test_title: 920100-11
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests # FN"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "\\"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [403, 400]
|
||||
#log_contains: "id \"920100\""
|
||||
-
|
||||
test_title: 920100-12
|
||||
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920100.yaml"
|
||||
description: "Tests to trigger, or not trigger 920100"
|
||||
tests:
|
||||
- # Standard GET request
|
||||
test_title: 920100-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
- # Request has tab (\t) before request method - Apache complains
|
||||
# AH00126: Invalid URI in request GET / HTTP/1.1
|
||||
test_title: 920100-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: " GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [400]
|
||||
- # Perfectly valid OPTIONS request
|
||||
test_title: 920100-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "OPTIONS"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "*"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
- # Valid CONNECT request however this is disabled by Apache default
|
||||
test_title: 920100-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "CONNECT"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "1.2.3.4:80"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [405, 403]
|
||||
- # invalid Connect request, domains require ports
|
||||
test_title: 920100-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "CONNECT"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "www.cnn.com"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [400]
|
||||
- # This is an acceptable CONNECT request for SSL tunneling
|
||||
test_title: 920100-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "CONNECT"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FP"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "www.cnn.com:80"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
log_contains: "id \"920100\""
|
||||
- # Valid request with query and anchor components
|
||||
test_title: 920100-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/index.html?I=Like&Apples=Today#tag"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
- # The colon in the path is not allowed. Apache will block by default
|
||||
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
|
||||
test_title: 920100-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/index.html:80?I=Like&Apples=Today#tag"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [400, 403]
|
||||
- # Normal Options request with path
|
||||
test_title: 920100-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "OPTIONS"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
no_log_contains: "id \"920100\""
|
||||
- # An invalid method with a long name
|
||||
test_title: 920100-10
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "REALLYLONGUNREALMETHOD"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests # FN"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
log_contains: "id \"920100\""
|
||||
- # An invalid request because a backslash is used in uri
|
||||
# Apache will end up blocking this before it gets to CRS.
|
||||
# We will need to support OR output tests to fix this
|
||||
test_title: 920100-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests # FN"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "\\"
|
||||
version: "HTTP/1.1"
|
||||
output:
|
||||
status: [403, 400]
|
||||
- test_title: 920100-12
|
||||
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -226,13 +201,11 @@
|
|||
uri: /
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
status: 400
|
||||
-
|
||||
test_title: 920100-13
|
||||
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
status: [400]
|
||||
- test_title: 920100-13
|
||||
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -246,14 +219,12 @@
|
|||
uri: \index.html
|
||||
version: HTTP\1.0
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: id "920100"
|
||||
-
|
||||
test_title: 920100-14
|
||||
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
status: [403, 400]
|
||||
# log_contains: id "920100"
|
||||
- test_title: 920100-14
|
||||
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -268,12 +239,10 @@
|
|||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920100"
|
||||
-
|
||||
test_title: 920100-15
|
||||
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920100-15
|
||||
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
method: GET
|
||||
|
|
|
@ -1,43 +1,39 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920120.yaml"
|
||||
description: "Tests to trigger rule 920120"
|
||||
tests:
|
||||
-
|
||||
test_title: 920120-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "*/*"
|
||||
Accept-Language: "en"
|
||||
Connection: "close"
|
||||
Referer: "http://localhost/"
|
||||
Content-Type: "multipart/form-data; boundary=--------397236876"
|
||||
data:
|
||||
- "----------397236876"
|
||||
- "Content-Disposition: form-data; name=\"fileRap\"; filename=\"file=.txt\""
|
||||
- "Content-Type: text/plain"
|
||||
- ""
|
||||
- "555-555-0199@example.com"
|
||||
- "----------397236876--"
|
||||
protocol: "http"
|
||||
output:
|
||||
log_contains: "id \"920120\""
|
||||
-
|
||||
test_title: 920120-2
|
||||
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920120.yaml"
|
||||
description: "Tests to trigger rule 920120"
|
||||
tests:
|
||||
- test_title: 920120-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "*/*"
|
||||
Accept-Language: "en"
|
||||
Connection: "close"
|
||||
Referer: "http://localhost/"
|
||||
Content-Type: "multipart/form-data; boundary=--------397236876"
|
||||
data: |
|
||||
----------397236876
|
||||
Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
|
||||
Content-Type: text/plain
|
||||
|
||||
555-555-0199@example.com
|
||||
----------397236876--
|
||||
protocol: "http"
|
||||
output:
|
||||
log_contains: "id \"920120\""
|
||||
- test_title: 920120-2
|
||||
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -55,26 +51,24 @@
|
|||
port: 80
|
||||
uri: /cgi-bin/fup.cgi
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- '-----------------------------627652292512397580456702590'
|
||||
- 'Content-Disposition: form-data; name="fi=le"; filename="test"'
|
||||
- 'Content-Type: text/plain'
|
||||
- ''
|
||||
- 'email: security@modsecurity.org'
|
||||
- ''
|
||||
- '-----------------------------627652292512397580456702590'
|
||||
- 'Content-Disposition: form-data; name="note"'
|
||||
- ''
|
||||
- Contact info.
|
||||
- '-----------------------------627652292512397580456702590--'
|
||||
data: |
|
||||
-----------------------------627652292512397580456702590
|
||||
Content-Disposition: form-data; name="fi=le"; filename="test"
|
||||
Content-Type: text/plain
|
||||
|
||||
email: security@modsecurity.org
|
||||
|
||||
-----------------------------627652292512397580456702590
|
||||
Content-Disposition: form-data; name="note"
|
||||
|
||||
Contact info.
|
||||
-----------------------------627652292512397580456702590--
|
||||
output:
|
||||
log_contains: id "920120"
|
||||
-
|
||||
test_title: 920120-3
|
||||
desc: Invalid Request Body (920120) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920120-3
|
||||
desc: Invalid Request Body (920120) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -91,21 +85,21 @@
|
|||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- '-----------------------------265001916915724'
|
||||
- 'Content-Disposition: form-data; name="fi;le"; filename="test"'
|
||||
- 'Content-Type: application/octet-stream'
|
||||
- ''
|
||||
- Rotem & Ayala
|
||||
- ''
|
||||
- '-----------------------------265001916915724'
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- tt2
|
||||
- '-----------------------------265001916915724'
|
||||
- 'Content-Disposition: form-data; name="B1"'
|
||||
- ''
|
||||
- Submit
|
||||
- '-----------------------------265001916915724--'
|
||||
data: |
|
||||
-----------------------------265001916915724
|
||||
Content-Disposition: form-data; name="fi;le"; filename="test"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
Rotem & Ayala
|
||||
|
||||
-----------------------------265001916915724
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
t2
|
||||
-----------------------------265001916915724
|
||||
Content-Disposition: form-data; name="B1"
|
||||
|
||||
Submit
|
||||
-----------------------------265001916915724--
|
||||
output:
|
||||
log_contains: id "920120"
|
||||
|
|
|
@ -1,73 +1,65 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920160.yaml"
|
||||
description: "Tests to trigger rule 920160"
|
||||
tests:
|
||||
-
|
||||
# Non digit Content-Length without content-type
|
||||
test_title: 920160-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Length: "NotDigits"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
status: 400
|
||||
-
|
||||
# Non digit content-length with content-type
|
||||
test_title: 920160-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "NotDigits"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
status: 400
|
||||
-
|
||||
# Mixed digit and non digit content length
|
||||
test_title: 920160-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "123x"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
status: 400
|
||||
-
|
||||
# Apache auto corrects for this error now so the log should not contain anything
|
||||
test_title: 920160-4
|
||||
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920160.yaml"
|
||||
description: "Tests to trigger rule 920160"
|
||||
tests:
|
||||
- # Non digit Content-Length without content-type
|
||||
test_title: 920160-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Length: "NotDigits"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
status: [400]
|
||||
- # Non digit content-length with content-type
|
||||
test_title: 920160-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "NotDigits"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
status: [400]
|
||||
- # Mixed digit and non digit content length
|
||||
test_title: 920160-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "123x"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
status: [400]
|
||||
- # Apache auto corrects for this error now so the log should not contain anything
|
||||
test_title: 920160-4
|
||||
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -86,14 +78,12 @@
|
|||
version: HTTP/1.0
|
||||
data: abc
|
||||
output:
|
||||
status: 200
|
||||
status: [200]
|
||||
no_log_contains: id "920160"
|
||||
-
|
||||
test_title: 920160-5
|
||||
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920160-5
|
||||
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,112 +1,100 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920170.yaml"
|
||||
description: "A Selection of tests to trigger rule 920170"
|
||||
tests:
|
||||
-
|
||||
# POST Request with data (valid)
|
||||
test_title: 920170-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920170\""
|
||||
-
|
||||
# GET request with data
|
||||
test_title: 920170-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920170\""
|
||||
-
|
||||
# Head Request with data
|
||||
test_title: 920170-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "HEAD"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920170\""
|
||||
-
|
||||
# GET Request but content length is 0 and data is provided
|
||||
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
|
||||
test_title: 920170-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "0"
|
||||
data: "hi=test\r\n"
|
||||
stop_magic: true
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920170\""
|
||||
-
|
||||
# GET request with content length 0 and no data.
|
||||
test_title: 920170-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "0"
|
||||
data: ""
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920170\""
|
||||
-
|
||||
test_title: 920170-7
|
||||
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920170.yaml"
|
||||
description: "A Selection of tests to trigger rule 920170"
|
||||
tests:
|
||||
- # POST Request with data (valid)
|
||||
test_title: 920170-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920170\""
|
||||
- # GET request with data
|
||||
test_title: 920170-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920170\""
|
||||
- # Head Request with data
|
||||
test_title: 920170-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "HEAD"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920170\""
|
||||
- # GET Request but content length is 0 and data is provided
|
||||
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
|
||||
test_title: 920170-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "0"
|
||||
data: "hi=test\r\n"
|
||||
stop_magic: true
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920170\""
|
||||
- # GET request with content length 0 and no data.
|
||||
test_title: 920170-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "0"
|
||||
data: ""
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920170\""
|
||||
- test_title: 920170-7
|
||||
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,53 +1,47 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920180.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920180-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
protocol: "http"
|
||||
stop_magic: true
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "920180"
|
||||
-
|
||||
test_title: 920180-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "920180"
|
||||
-
|
||||
test_title: 920180-3
|
||||
desc: POST request missing Content-Length Header (920180) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920180.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920180-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
protocol: "http"
|
||||
stop_magic: true
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "920180"
|
||||
- test_title: 920180-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "hi=test"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "920180"
|
||||
- test_title: 920180-3
|
||||
desc: POST request missing Content-Length Header (920180) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -65,12 +59,10 @@
|
|||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920180"
|
||||
-
|
||||
test_title: 920180-4
|
||||
desc: Ignore check of CT header if protocol is HTTP/2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920180-4
|
||||
desc: Ignore check of CT header if protocol is HTTP/2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,35 +1,33 @@
|
|||
---
|
||||
meta:
|
||||
author: "fgsch"
|
||||
enabled: true
|
||||
name: "920181.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920181-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
uri: "/"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: "*/*"
|
||||
Content-Length: 7
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Transfer-Encoding: "chunked"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
data:
|
||||
- "7"
|
||||
- "foo=bar"
|
||||
- "0"
|
||||
- ""
|
||||
- ""
|
||||
stop_magic: true
|
||||
output:
|
||||
# Apache unsets the Content-Length header if
|
||||
# Transfer-Encoding is found!
|
||||
no_log_contains: id "920181"
|
||||
meta:
|
||||
author: "fgsch"
|
||||
enabled: true
|
||||
name: "920181.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920181-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
uri: "/"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: "*/*"
|
||||
Content-Length: 7
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Transfer-Encoding: "chunked"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
data: |
|
||||
7
|
||||
foo=bar
|
||||
0
|
||||
|
||||
|
||||
stop_magic: true
|
||||
output:
|
||||
# Apache unsets the Content-Length header if
|
||||
# Transfer-Encoding is found!
|
||||
no_log_contains: id "920181"
|
||||
|
|
|
@ -1,33 +1,29 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920190.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920190-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "0-1"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "920190"
|
||||
-
|
||||
test_title: 920190-2
|
||||
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920190.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920190-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "0-1"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "920190"
|
||||
- test_title: 920190-2
|
||||
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,87 +1,75 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920200.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920200-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
-
|
||||
# Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
|
||||
test_title: 920200-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
-
|
||||
test_title: 920200-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
|
||||
output:
|
||||
no_log_contains: "id \"920200\""
|
||||
-
|
||||
test_title: 920200-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FP"
|
||||
Host: "localhost"
|
||||
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
-
|
||||
test_title: 920200-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FP"
|
||||
Host: "localhost"
|
||||
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
-
|
||||
test_title: 920200-6
|
||||
desc: 'Range: Too many fields (920200) from old modsec regressions'
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920200.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920200-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
- # Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
|
||||
test_title: 920200-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
- test_title: 920200-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
|
||||
output:
|
||||
no_log_contains: "id \"920200\""
|
||||
- test_title: 920200-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FP"
|
||||
Host: "localhost"
|
||||
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
- test_title: 920200-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FP"
|
||||
Host: "localhost"
|
||||
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
|
||||
output:
|
||||
log_contains: "id \"920200\""
|
||||
- test_title: 920200-6
|
||||
desc: 'Range: Too many fields (920200) from old modsec regressions'
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -100,12 +88,10 @@
|
|||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "920200"
|
||||
-
|
||||
test_title: 920200-7
|
||||
desc: This should PASS (PL2)
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920200-7
|
||||
desc: This should PASS (PL2)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -117,12 +103,10 @@
|
|||
uri: /index.html
|
||||
output:
|
||||
no_log_contains: id "920200"
|
||||
-
|
||||
test_title: 920200-8
|
||||
desc: "This should FAIL with rule 920200 (PL2)"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920200-8
|
||||
desc: "This should FAIL with rule 920200 (PL2)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -134,12 +118,10 @@
|
|||
uri: /index.html
|
||||
output:
|
||||
log_contains: id "920200"
|
||||
-
|
||||
test_title: 920200-9
|
||||
desc: This should PASS (PL2)
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920200-9
|
||||
desc: This should PASS (PL2)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -151,12 +133,10 @@
|
|||
uri: /index.pdf
|
||||
output:
|
||||
no_log_contains: id "920200"
|
||||
-
|
||||
test_title: 920200-10
|
||||
desc: This should PASS (PL2)
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920200-10
|
||||
desc: This should PASS (PL2)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,16 +1,14 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920201.yaml"
|
||||
description: "Tests for 920201"
|
||||
tests:
|
||||
-
|
||||
test_title: 920201-1
|
||||
desc: This should FAIL with rule 920201 (PL2)
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920201.yaml"
|
||||
description: "Tests for 920201"
|
||||
tests:
|
||||
- test_title: 920201-1
|
||||
desc: This should FAIL with rule 920201 (PL2)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,16 +1,14 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920202.yaml"
|
||||
description: "Tests for 920202"
|
||||
tests:
|
||||
-
|
||||
test_title: 920202-1
|
||||
desc: This should FAIL with rule 920202 (PL4)
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920202.yaml"
|
||||
description: "Tests for 920202"
|
||||
tests:
|
||||
- test_title: 920202-1
|
||||
desc: This should FAIL with rule 920202 (PL4)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,87 +1,74 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920210.yaml"
|
||||
description: "Tests that trigger rule 920210"
|
||||
tests:
|
||||
-
|
||||
test_title: 920210-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "keep-alive"
|
||||
output:
|
||||
no_log_contains: "id \"920210\""
|
||||
-
|
||||
test_title: 920210-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "keep-alive,keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920210\""
|
||||
-
|
||||
test_title: 920210-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "keep-alive,close"
|
||||
output:
|
||||
log_contains: "id \"920210\""
|
||||
-
|
||||
test_title: 920210-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "close,close"
|
||||
output:
|
||||
log_contains: "id \"920210\""
|
||||
-
|
||||
test_title: 920210-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "User-Agent"
|
||||
output:
|
||||
no_log_contains: "id \"920210\""
|
||||
-
|
||||
test_title: 920210-6
|
||||
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
|
||||
regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920210.yaml"
|
||||
description: "Tests that trigger rule 920210"
|
||||
tests:
|
||||
- test_title: 920210-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "keep-alive"
|
||||
output:
|
||||
no_log_contains: "id \"920210\""
|
||||
- test_title: 920210-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "keep-alive,keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920210\""
|
||||
- test_title: 920210-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "keep-alive,close"
|
||||
output:
|
||||
log_contains: "id \"920210\""
|
||||
- test_title: 920210-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "close,close"
|
||||
output:
|
||||
log_contains: "id \"920210\""
|
||||
- test_title: 920210-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Connection: "User-Agent"
|
||||
output:
|
||||
no_log_contains: "id \"920210\""
|
||||
- test_title: 920210-6
|
||||
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -99,13 +86,10 @@
|
|||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "920210"
|
||||
-
|
||||
test_title: 920210-7
|
||||
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
|
||||
regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920210-7
|
||||
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
|
|
@ -1,82 +1,72 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920220.yaml"
|
||||
description: "Tests to trigger rule 920220"
|
||||
tests:
|
||||
-
|
||||
# This gets a percent but not a number after, invalid
|
||||
test_title: 920220-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?x=%w20"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920220\""
|
||||
-
|
||||
# We have a valid percent encoding here
|
||||
test_title: 920220-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?x=xyz%20%99"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920220\""
|
||||
-
|
||||
# url encoding includes spaces as plusses, this is valid
|
||||
test_title: 920220-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=This+is+a+test"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920220\""
|
||||
-
|
||||
# testURL Encoding Abuse Attack Attempt from old modsec regressions
|
||||
test_title: 920220-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920220\""
|
||||
-
|
||||
# testURL Encoding Abuse Attack Attempt from old modsec regressions
|
||||
test_title: 920220-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%1G"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920220\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920220.yaml"
|
||||
description: "Tests to trigger rule 920220"
|
||||
tests:
|
||||
- # This gets a percent but not a number after, invalid
|
||||
test_title: 920220-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?x=%w20"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920220\""
|
||||
- # We have a valid percent encoding here
|
||||
test_title: 920220-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?x=xyz%20%99"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920220\""
|
||||
- # url encoding includes spaces as plusses, this is valid
|
||||
test_title: 920220-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=This+is+a+test"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920220\""
|
||||
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
|
||||
test_title: 920220-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920220\""
|
||||
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
|
||||
test_title: 920220-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%1G"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920220\""
|
||||
|
|
|
@ -1,47 +1,43 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920230.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
# From old modsec regression tests
|
||||
test_title: 920230-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920230\""
|
||||
-
|
||||
# From old modsec regression tests
|
||||
test_title: 920230-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
no_log_contains: "id \"920230\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920230.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- # From old modsec regression tests
|
||||
test_title: 920230-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920230\""
|
||||
- # From old modsec regression tests
|
||||
test_title: 920230-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
no_log_contains: "id \"920230\""
|
||||
|
|
|
@ -1,136 +1,123 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920240.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920240-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: 11
|
||||
data: "x=new %w20$"
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920240\""
|
||||
-
|
||||
test_title: 920240-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
|
||||
Host: "localhost%00"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: 10
|
||||
data: "x=new %20$"
|
||||
stop_magic: true
|
||||
output:
|
||||
no_log_contains: "id \"920240\""
|
||||
-
|
||||
test_title: 920240-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "param=value"
|
||||
output:
|
||||
no_log_contains: "id \"920240\""
|
||||
|
||||
-
|
||||
# We have a valid percent encoding here
|
||||
test_title: 920240-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
Content-Type: "text/xml"
|
||||
data:
|
||||
- "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">"
|
||||
- " <SOAP-ENV:Body>"
|
||||
- " <xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">"
|
||||
- " <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>"
|
||||
- " <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>"
|
||||
- " </xkms:StatusRequest>"
|
||||
- " </SOAP-ENV:Body>"
|
||||
- "</SOAP-ENV:Envelope>"
|
||||
output:
|
||||
no_log_contains: "id \"920240\""
|
||||
-
|
||||
# test URL Encoding Abuse Attack Attempt from old regression tests
|
||||
test_title: 920240-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "9"
|
||||
data: "param=%1G"
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920240\""
|
||||
-
|
||||
# test URL Encoding Abuse Attack Attempt from old regression tests
|
||||
test_title: 920240-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
|
||||
output:
|
||||
log_contains: "id \"920240\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920240.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920240-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: 11
|
||||
data: "x=new %w20$"
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920240\""
|
||||
- test_title: 920240-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
|
||||
Host: "localhost%00"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: 10
|
||||
data: "x=new %20$"
|
||||
stop_magic: true
|
||||
output:
|
||||
no_log_contains: "id \"920240\""
|
||||
- test_title: 920240-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "param=value"
|
||||
output:
|
||||
no_log_contains: "id \"920240\""
|
||||
- # We have a valid percent encoding here
|
||||
test_title: 920240-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
Content-Type: "text/xml"
|
||||
data: |
|
||||
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
|
||||
<SOAP-ENV:Body>
|
||||
<xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">
|
||||
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
|
||||
<xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>
|
||||
</xkms:StatusRequest>
|
||||
</SOAP-ENV:Body>
|
||||
</SOAP-ENV:Envelope>
|
||||
output:
|
||||
no_log_contains: "id \"920240\""
|
||||
- # test URL Encoding Abuse Attack Attempt from old regression tests
|
||||
test_title: 920240-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
Content-Length: "9"
|
||||
data: "param=%1G"
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920240\""
|
||||
- # test URL Encoding Abuse Attack Attempt from old regression tests
|
||||
test_title: 920240-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
|
||||
output:
|
||||
log_contains: "id \"920240\""
|
||||
|
|
|
@ -1,68 +1,62 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: false
|
||||
name: "920250.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
# crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
|
||||
# Taken from existing modsec regression
|
||||
test_title: 920250-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=%c0%af"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920250\""
|
||||
-
|
||||
# Taken from existing modsec regression
|
||||
test_title: 920250-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=%c0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920250\""
|
||||
-
|
||||
# Taken from existing modsec regression
|
||||
test_title: 920250-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=%F5%80%BF%BF"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920250\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: false
|
||||
name: "920250.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- # crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
|
||||
# Taken from existing modsec regression
|
||||
test_title: 920250-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=%c0%af"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920250\""
|
||||
- # Taken from existing modsec regression
|
||||
test_title: 920250-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=%c0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920250\""
|
||||
- # Taken from existing modsec regression
|
||||
test_title: 920250-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=%F5%80%BF%BF"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920250\""
|
||||
|
|
|
@ -1,56 +1,50 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920260.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920260-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=%uff0F"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920260\""
|
||||
-
|
||||
test_title: 920260-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=%u0F"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920260\""
|
||||
-
|
||||
# Test taken from existing modsec regression
|
||||
test_title: 920260-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=foo%uFF01"
|
||||
version: "HTTP/1.0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920260\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920260.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920260-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=%uff0F"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920260\""
|
||||
- test_title: 920260-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=%u0F"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920260\""
|
||||
- # Test taken from existing modsec regression
|
||||
test_title: 920260-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=foo%uFF01"
|
||||
version: "HTTP/1.0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920260\""
|
||||
|
|
|
@ -1,143 +1,125 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920270.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920270-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%00=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
-
|
||||
test_title: 920270-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%00"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
-
|
||||
test_title: 920270-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%00=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
-
|
||||
# This causes apache to error before it gets to CRS. Therefore
|
||||
# we'll mark this as a status 400 now until the FTW OR output is added
|
||||
test_title: 920270-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost%00"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920270\""
|
||||
-
|
||||
test_title: 920270-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Referer: "anything%00"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
-
|
||||
test_title: 920270-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%40=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920270\""
|
||||
-
|
||||
test_title: 920270-7
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%FD=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920270\""
|
||||
-
|
||||
test_title: 920270-8
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%FD=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920270\""
|
||||
-
|
||||
# Test converted from old tests
|
||||
test_title: 920270-9
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=foo%00"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920270.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920270-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%00=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
- test_title: 920270-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%00"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
- test_title: 920270-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%00=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
- # This causes apache to error before it gets to CRS. Therefore
|
||||
# we'll mark this as a status 400 now until the FTW OR output is added
|
||||
test_title: 920270-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost%00"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920270\""
|
||||
- test_title: 920270-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Referer: "anything%00"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
- test_title: 920270-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%40=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920270\""
|
||||
- test_title: 920270-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%FD=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920270\""
|
||||
- test_title: 920270-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%FD=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920270\""
|
||||
- # Test converted from old tests
|
||||
test_title: 920270-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?param=foo%00"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
Accept-Language: "en-us,en;q=0.5"
|
||||
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
Keep-Alive: "300"
|
||||
Proxy-Connection: "keep-alive"
|
||||
output:
|
||||
log_contains: "id \"920270\""
|
||||
|
|
|
@ -1,92 +1,80 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920271.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920271-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%127"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
-
|
||||
test_title: 920271-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%03"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
-
|
||||
test_title: 920271-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%00=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
-
|
||||
test_title: 920271-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cookie: hi%13=bye
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
-
|
||||
test_title: 920271-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/%20index.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920271\""
|
||||
-
|
||||
test_title: 920271-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/%FFindex.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920271\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920271.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920271-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%127"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
- test_title: 920271-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%03"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
- test_title: 920271-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test%00=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
- test_title: 920271-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cookie: hi%13=bye
|
||||
output:
|
||||
log_contains: "id \"920271\""
|
||||
- test_title: 920271-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/%20index.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920271\""
|
||||
- test_title: 920271-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/%FFindex.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920271\""
|
||||
|
|
|
@ -1,79 +1,68 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920272.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920272-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%25"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920272\""
|
||||
-
|
||||
test_title: 920272-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%80"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920272\""
|
||||
-
|
||||
test_title: 920272-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/index.html?test=t%FFest1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920272\""
|
||||
-
|
||||
test_title: 920272-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%35"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920272\""
|
||||
-
|
||||
# This will not trigger with Apache because Apache will block with AH00127
|
||||
#(22)Invalid argument: [client 127.0.0.1:47427] AH00127: Cannot map GET /i%FFndex.html?test=test1 HTTP/1.1 to file. It will return a 404 instead so we accept either.
|
||||
test_title: 920272-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/i%FFndex.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 404]
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920272.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920272-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%25"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920272\""
|
||||
- test_title: 920272-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%80"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920272\""
|
||||
- test_title: 920272-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/index.html?test=t%FFest1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920272\""
|
||||
- test_title: 920272-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%35"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920272\""
|
||||
- # This will not trigger with Apache because Apache will block with AH00127
|
||||
test_title: 920272-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/i%FFndex.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 404]
|
||||
|
|
|
@ -1,79 +1,69 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920273.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920273-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%20"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920273\""
|
||||
-
|
||||
# the '&' is one of the only symbol allowed
|
||||
test_title: 920273-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1&test=t"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920273\""
|
||||
-
|
||||
test_title: 920273-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/index.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
data: "<hello"
|
||||
output:
|
||||
log_contains: "id \"920273\""
|
||||
-
|
||||
test_title: 920273-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%5FHI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920273\""
|
||||
-
|
||||
test_title: 920273-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%60HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920273\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920273.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920273-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%20"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920273\""
|
||||
- # the '&' is one of the only symbol allowed
|
||||
test_title: 920273-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1&test=t"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920273\""
|
||||
- test_title: 920273-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/index.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
data: "<hello"
|
||||
output:
|
||||
log_contains: "id \"920273\""
|
||||
- test_title: 920273-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%5FHI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920273\""
|
||||
- test_title: 920273-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1%60HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920273\""
|
||||
|
|
|
@ -1,85 +1,75 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920274.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
# Apache will just error on this and return 400
|
||||
# as a result we look for forbidden or 400
|
||||
# In the future FTW should support OR versus AND output
|
||||
# https://github.com/CRS-support/ftw/issues/19
|
||||
test_title: 920274-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost%1F"
|
||||
output:
|
||||
status: [200, 403, 400]
|
||||
# log_contains: "id \"920274\""
|
||||
-
|
||||
test_title: 920274-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/index.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "<ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920274\""
|
||||
-
|
||||
test_title: 920274-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Test: "ThisISATEST%5F"
|
||||
output:
|
||||
no_log_contains: "id \"920274\""
|
||||
-
|
||||
test_title: 920274-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Test: "ThisIsATest%60"
|
||||
output:
|
||||
log_contains: "id \"920274\""
|
||||
-
|
||||
test_title: 920274-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cookie: "ThisIsATest%60"
|
||||
output:
|
||||
no_log_contains: "id \"920274\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920274.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- # Apache will just error on this and return 400
|
||||
# as a result we look for forbidden or 400
|
||||
# In the future FTW should support OR versus AND output
|
||||
# https://github.com/CRS-support/ftw/issues/19
|
||||
test_title: 920274-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost%1F"
|
||||
output:
|
||||
status: [200, 403, 400]
|
||||
# log_contains: "id \"920274\""
|
||||
- test_title: 920274-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/index.html?test=test1"
|
||||
headers:
|
||||
User-Agent: "<ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920274\""
|
||||
- test_title: 920274-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Test: "ThisISATEST%5F"
|
||||
output:
|
||||
no_log_contains: "id \"920274\""
|
||||
- test_title: 920274-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Test: "ThisIsATest%60"
|
||||
output:
|
||||
log_contains: "id \"920274\""
|
||||
- test_title: 920274-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?test=test1HI"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cookie: "ThisIsATest%60"
|
||||
output:
|
||||
no_log_contains: "id \"920274\""
|
||||
|
|
|
@ -1,47 +1,41 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920280.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920280-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/1.0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
output:
|
||||
log_contains: "id \"920280\""
|
||||
-
|
||||
test_title: 920280-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920280\""
|
||||
-
|
||||
test_title: 920280-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/0.9"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
output:
|
||||
# Technically valid but Apache doesn't allow 0.9 anymore
|
||||
status: 400
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920280.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920280-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/1.0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
output:
|
||||
log_contains: "id \"920280\""
|
||||
- test_title: 920280-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920280\""
|
||||
- test_title: 920280-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/0.9"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
output:
|
||||
# Technically valid but Apache doesn't allow 0.9 anymore
|
||||
status: [400]
|
||||
|
|
|
@ -1,51 +1,21 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920290.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
# Apache will block this with a 400 and it will
|
||||
# never get to CRS. We will fix this more when
|
||||
# FTW supports the OR operator for outputs.
|
||||
test_title: 920290-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: ""
|
||||
output:
|
||||
status: [403, 400]
|
||||
#log_contains: "id \"920290\""
|
||||
|
||||
#-
|
||||
#test_title: 920290-2
|
||||
#stages:
|
||||
# -
|
||||
# stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "%00"
|
||||
# output:
|
||||
# no_log_contains: "id \"920290\""
|
||||
# -
|
||||
# test_title: 920290-3
|
||||
# stages:
|
||||
# -
|
||||
# stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# output:
|
||||
# no_log_contains: "id \"920290\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920290.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- # Apache will block this with a 400 and it will
|
||||
# never get to CRS. We will fix this more when
|
||||
# FTW supports the OR operator for outputs.
|
||||
test_title: 920290-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: ""
|
||||
output:
|
||||
status: [403, 400]
|
||||
|
|
|
@ -1,30 +1,28 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 920300.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 920300-1
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 920300.yaml
|
||||
tests:
|
||||
- test_title: 920300-1
|
||||
desc: Request Missing an Accept Header (920300) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
data: ''
|
||||
output:
|
||||
log_contains: id "920300"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
data: ''
|
||||
output:
|
||||
log_contains: id "920300"
|
||||
|
|
|
@ -1,93 +1,80 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920310.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920310-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
log_contains: "id \"920310\""
|
||||
-
|
||||
test_title: 920310-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
-
|
||||
test_title: 920310-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
-
|
||||
test_title: 920310-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: lol
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
log_contains: "id \"920310\""
|
||||
|
||||
-
|
||||
test_title: 920310-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
-
|
||||
test_title: 920310-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920310.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920310-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
log_contains: "id \"920310\""
|
||||
- test_title: 920310-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
- test_title: 920310-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
- test_title: 920310-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: lol
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
log_contains: "id \"920310\""
|
||||
- test_title: 920310-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
- test_title: 920310-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920310\""
|
||||
|
|
|
@ -1,48 +1,42 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920311.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920311-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
log_contains: "id \"920311\""
|
||||
-
|
||||
test_title: 920311-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920311\""
|
||||
-
|
||||
test_title: 920311-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
Accept: "text/plain, text/html"
|
||||
output:
|
||||
no_log_contains: "id \"920311\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920311.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920311-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
log_contains: "id \"920311\""
|
||||
- test_title: 920311-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: ""
|
||||
output:
|
||||
no_log_contains: "id \"920311\""
|
||||
- test_title: 920311-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
Accept: "text/plain, text/html"
|
||||
output:
|
||||
no_log_contains: "id \"920311\""
|
||||
|
|
|
@ -1,32 +1,28 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920320.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920320-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920320\""
|
||||
-
|
||||
test_title: 920320-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920320\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920320.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920320-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920320\""
|
||||
- test_title: 920320-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920320\""
|
||||
|
|
|
@ -1,33 +1,29 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920320.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920330-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: ""
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920330\""
|
||||
-
|
||||
test_title: 920330-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920330\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920320.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920330-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: ""
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920330\""
|
||||
- test_title: 920330-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920330\""
|
||||
|
|
|
@ -1,38 +1,34 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920340.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920340-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Length: "2"
|
||||
data: "xy"
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920340\""
|
||||
-
|
||||
test_title: 920340-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Length: "50"
|
||||
stop_magic: true
|
||||
output:
|
||||
expect_error: true
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920340.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920340-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Length: "2"
|
||||
data: "xy"
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920340\""
|
||||
- test_title: 920340-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Length: "50"
|
||||
stop_magic: true
|
||||
output:
|
||||
expect_error: true
|
||||
|
|
|
@ -1,55 +1,49 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920350.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920350-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "127.0.0.1"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920350\""
|
||||
-
|
||||
test_title: 920350-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "localhost"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920350\""
|
||||
-
|
||||
test_title: 920350-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "localhost"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "1.2.3.4"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920350\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920350.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920350-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "127.0.0.1"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920350\""
|
||||
- test_title: 920350-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "localhost"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id \"920350\""
|
||||
- test_title: 920350-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "localhost"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "1.2.3.4"
|
||||
protocol: "http"
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: "id \"920350\""
|
||||
|
|
|
@ -1,31 +1,29 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
# ARG_NAME_LENGTH needs to be set in crs-config
|
||||
enabled: false
|
||||
name: 920360.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 920360-1
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
# ARG_NAME_LENGTH needs to be set in crs-config
|
||||
enabled: false
|
||||
name: 920360.yaml
|
||||
tests:
|
||||
- test_title: 920360-1
|
||||
desc: Argument name too long (920360) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920360"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920360"
|
||||
|
|
|
@ -1,31 +1,29 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
# PCRE limits need to be set higher to process this
|
||||
enabled: false
|
||||
name: 920370.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 920370-1
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
# PCRE limits need to be set higher to process this
|
||||
enabled: false
|
||||
name: 920370.yaml
|
||||
tests:
|
||||
- test_title: 920370-1
|
||||
desc: Argument value too long (920370) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920370"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920370"
|
||||
|
|
|
@ -1,31 +1,28 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
# MAX_NUM_ARGS needs to be set in crs-setup
|
||||
enabled: false
|
||||
name: 920380.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 920380-1
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
# MAX_NUM_ARGS needs to be set in crs-setup
|
||||
enabled: false
|
||||
name: 920380.yaml
|
||||
tests:
|
||||
- test_title: 920380-1
|
||||
desc: Too many arguments in request (920380) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?param1=1¶m2=1¶m3=1¶m4=1¶m5=1¶m6=1¶m7=1¶m8=1¶m9=1¶m10=1¶m11=1¶m12=1¶m13=1¶m14=1¶m15=1¶m16=1¶m17=1¶m18=1¶m19=1¶m20=1¶m21=1¶m22=1¶m23=1¶m24=1¶m25=1¶m26=1¶m27=1¶m28=1¶m29=1¶m30=1¶m31=1¶m32=1¶m33=1¶m34=1¶m35=1¶m36=1¶m37=1¶m38=1¶m39=1¶m40=1¶m41=1¶m42=1¶m43=1¶m44=1¶m45=1¶m46=1¶m47=1¶m48=1¶m49=1¶m50=1¶m51=1¶m52=1¶m53=1¶m54=1¶m55=1¶m56=1¶m57=1¶m58=1¶m59=1¶m60=1¶m61=1¶m62=1¶m63=1¶m64=1¶m65=1¶m66=1¶m67=1¶m68=1¶m69=1¶m70=1¶m71=1¶m72=1¶m73=1¶m74=1¶m75=1¶m76=1¶m77=1¶m78=1¶m79=1¶m80=1¶m81=1¶m82=1¶m83=1¶m84=1¶m85=1¶m86=1¶m87=1¶m88=1¶m89=1¶m90=1¶m91=1¶m92=1¶m93=1¶m94=1¶m95=1¶m96=1¶m97=1¶m98=1¶m99=1¶m100=1¶m101=1¶m102=1¶m103=1¶m104=1¶m105=1¶m106=1¶m107=1¶m108=1¶m109=1¶m110=1¶m111=1¶m112=1¶m113=1¶m114=1¶m115=1¶m116=1¶m117=1¶m118=1¶m119=1¶m120=1¶m121=1¶m122=1¶m123=1¶m124=1¶m125=1¶m126=1¶m127=1¶m128=1¶m129=1¶m130=1¶m131=1¶m132=1¶m133=1¶m134=1¶m135=1¶m136=1¶m137=1¶m138=1¶m139=1¶m140=1¶m141=1¶m142=1¶m143=1¶m144=1¶m145=1¶m146=1¶m147=1¶m148=1¶m149=1¶m150=1¶m151=1¶m152=1¶m153=1¶m154=1¶m155=1¶m156=1¶m157=1¶m158=1¶m159=1¶m160=1¶m161=1¶m162=1¶m163=1¶m164=1¶m165=1¶m166=1¶m167=1¶m168=1¶m169=1¶m170=1¶m171=1¶m172=1¶m173=1¶m174=1¶m175=1¶m176=1¶m177=1¶m178=1¶m179=1¶m180=1¶m181=1¶m182=1¶m183=1¶m184=1¶m185=1¶m186=1¶m187=1¶m188=1¶m189=1¶m190=1¶m191=1¶m192=1¶m193=1¶m194=1¶m195=1¶m196=1¶m197=1¶m198=1¶m199=1¶m200=1¶m201=1¶m202=1¶m203=1¶m204=1¶m205=1¶m206=1¶m207=1¶m208=1¶m209=1¶m210=1¶m211=1¶m212=1¶m213=1¶m214=1¶m215=1¶m216=1¶m217=1¶m218=1¶m219=1¶m220=1¶m221=1¶m222=1¶m223=1¶m224=1¶m225=1¶m226=1¶m227=1¶m228=1¶m229=1¶m230=1¶m231=1¶m232=1¶m233=1¶m234=1¶m235=1¶m236=1¶m237=1¶m238=1¶m239=1¶m240=1¶m241=1¶m242=1¶m243=1¶m244=1¶m245=1¶m246=1¶m247=1¶m248=1¶m249=1¶m250=1¶m251=1¶m252=1¶m253=1¶m254=1¶m255=1¶m256=1
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920380"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?param1=1¶m2=1¶m3=1¶m4=1¶m5=1¶m6=1¶m7=1¶m8=1¶m9=1¶m10=1¶m11=1¶m12=1¶m13=1¶m14=1¶m15=1¶m16=1¶m17=1¶m18=1¶m19=1¶m20=1¶m21=1¶m22=1¶m23=1¶m24=1¶m25=1¶m26=1¶m27=1¶m28=1¶m29=1¶m30=1¶m31=1¶m32=1¶m33=1¶m34=1¶m35=1¶m36=1¶m37=1¶m38=1¶m39=1¶m40=1¶m41=1¶m42=1¶m43=1¶m44=1¶m45=1¶m46=1¶m47=1¶m48=1¶m49=1¶m50=1¶m51=1¶m52=1¶m53=1¶m54=1¶m55=1¶m56=1¶m57=1¶m58=1¶m59=1¶m60=1¶m61=1¶m62=1¶m63=1¶m64=1¶m65=1¶m66=1¶m67=1¶m68=1¶m69=1¶m70=1¶m71=1¶m72=1¶m73=1¶m74=1¶m75=1¶m76=1¶m77=1¶m78=1¶m79=1¶m80=1¶m81=1¶m82=1¶m83=1¶m84=1¶m85=1¶m86=1¶m87=1¶m88=1¶m89=1¶m90=1¶m91=1¶m92=1¶m93=1¶m94=1¶m95=1¶m96=1¶m97=1¶m98=1¶m99=1¶m100=1¶m101=1¶m102=1¶m103=1¶m104=1¶m105=1¶m106=1¶m107=1¶m108=1¶m109=1¶m110=1¶m111=1¶m112=1¶m113=1¶m114=1¶m115=1¶m116=1¶m117=1¶m118=1¶m119=1¶m120=1¶m121=1¶m122=1¶m123=1¶m124=1¶m125=1¶m126=1¶m127=1¶m128=1¶m129=1¶m130=1¶m131=1¶m132=1¶m133=1¶m134=1¶m135=1¶m136=1¶m137=1¶m138=1¶m139=1¶m140=1¶m141=1¶m142=1¶m143=1¶m144=1¶m145=1¶m146=1¶m147=1¶m148=1¶m149=1¶m150=1¶m151=1¶m152=1¶m153=1¶m154=1¶m155=1¶m156=1¶m157=1¶m158=1¶m159=1¶m160=1¶m161=1¶m162=1¶m163=1¶m164=1¶m165=1¶m166=1¶m167=1¶m168=1¶m169=1¶m170=1¶m171=1¶m172=1¶m173=1¶m174=1¶m175=1¶m176=1¶m177=1¶m178=1¶m179=1¶m180=1¶m181=1¶m182=1¶m183=1¶m184=1¶m185=1¶m186=1¶m187=1¶m188=1¶m189=1¶m190=1¶m191=1¶m192=1¶m193=1¶m194=1¶m195=1¶m196=1¶m197=1¶m198=1¶m199=1¶m200=1¶m201=1¶m202=1¶m203=1¶m204=1¶m205=1¶m206=1¶m207=1¶m208=1¶m209=1¶m210=1¶m211=1¶m212=1¶m213=1¶m214=1¶m215=1¶m216=1¶m217=1¶m218=1¶m219=1¶m220=1¶m221=1¶m222=1¶m223=1¶m224=1¶m225=1¶m226=1¶m227=1¶m228=1¶m229=1¶m230=1¶m231=1¶m232=1¶m233=1¶m234=1¶m235=1¶m236=1¶m237=1¶m238=1¶m239=1¶m240=1¶m241=1¶m242=1¶m243=1¶m244=1¶m245=1¶m246=1¶m247=1¶m248=1¶m249=1¶m250=1¶m251=1¶m252=1¶m253=1¶m254=1¶m255=1¶m256=1
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "920380"
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,52 +1,50 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 920400.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 920400-1
|
||||
meta:
|
||||
author: csanders-git
|
||||
description: None
|
||||
enabled: true
|
||||
name: 920400.yaml
|
||||
tests:
|
||||
- test_title: 920400-1
|
||||
desc: Uploaded file size too large (920400) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Content-Length: '10485760'
|
||||
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- '-----------------------------265001916915724'
|
||||
- 'Content-Disposition: form-data; name="file"; filename="test"'
|
||||
- 'Content-Type: application/octet-stream'
|
||||
- ''
|
||||
- Rotem & Ayala
|
||||
- ''
|
||||
- '-----------------------------265001916915724'
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- tt2
|
||||
- '-----------------------------265001916915724'
|
||||
- 'Content-Disposition: form-data; name="B1"'
|
||||
- ''
|
||||
- Submit
|
||||
- '-----------------------------265001916915724--'
|
||||
output:
|
||||
# Most web servers simply won't respond to invalid requests like
|
||||
# like this they'll just time out when we get OR type checks
|
||||
# we'll be able to check for both an error or the rule firing
|
||||
expect_error: true
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Content-Length: '10485760'
|
||||
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.1
|
||||
data: |
|
||||
-----------------------------265001916915724
|
||||
Content-Disposition: form-data; name="file"; filename="test"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
Rotem & Ayala
|
||||
|
||||
-----------------------------265001916915724
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
tt2
|
||||
-----------------------------265001916915724
|
||||
Content-Disposition: form-data; name="B1"
|
||||
|
||||
Submit
|
||||
-----------------------------265001916915724--
|
||||
output:
|
||||
# Most web servers simply won't respond to invalid requests like
|
||||
# like this they'll just time out when we get OR type checks
|
||||
# we'll be able to check for both an error or the rule firing
|
||||
expect_error: true
|
||||
|
|
|
@ -81,21 +81,21 @@ tests:
|
|||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
data: |
|
||||
--0000
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
John Smith
|
||||
--0000
|
||||
Content-Disposition: form-data; name="email"
|
||||
|
||||
john.smith@example.com
|
||||
--0000
|
||||
Content-Disposition: form-data; name="image"; filename="image.jpg"
|
||||
Content-Type: image/jpeg
|
||||
|
||||
BINARYDATA
|
||||
--0000--
|
||||
output:
|
||||
log_contains: id "920420"
|
||||
- test_title: 920420-6
|
||||
|
@ -118,21 +118,21 @@ tests:
|
|||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
data: |
|
||||
--0000
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
John Smith
|
||||
--0000
|
||||
Content-Disposition: form-data; name="email"
|
||||
|
||||
john.smith@example.com
|
||||
--0000
|
||||
Content-Disposition: form-data; name="image"; filename="image.jpg"
|
||||
Content-Type: image/jpeg
|
||||
|
||||
BINARYDATA
|
||||
--0000--
|
||||
output:
|
||||
log_contains: id "920420"
|
||||
- test_title: 920420-7
|
||||
|
@ -155,21 +155,21 @@ tests:
|
|||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
data: |
|
||||
--0000
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
John Smith
|
||||
--0000
|
||||
Content-Disposition: form-data; name="email"
|
||||
|
||||
john.smith@example.com
|
||||
--0000
|
||||
Content-Disposition: form-data; name="image"; filename="image.jpg"
|
||||
Content-Type: image/jpeg
|
||||
|
||||
BINARYDATA
|
||||
--0000--
|
||||
output:
|
||||
log_contains: id "920420"
|
||||
- test_title: 920420-8
|
||||
|
|
|
@ -1,121 +1,104 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920430.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920430-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/1.1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920430\""
|
||||
-
|
||||
test_title: 920430-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/1.0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920430\""
|
||||
-
|
||||
test_title: 920430-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/0.9"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920430\""
|
||||
-
|
||||
test_title: 920430-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/2"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920430\""
|
||||
-
|
||||
# Currently FTW won't process HTTP 1.0 simple response items
|
||||
# This request generates such a response, so even though it will
|
||||
# generate the alert, it will error.
|
||||
test_title: 920430-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: ""
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FN"
|
||||
Host: "localhost"
|
||||
output:
|
||||
expect_error: true
|
||||
-
|
||||
test_title: 920430-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "1.1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FN"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920430\""
|
||||
-
|
||||
test_title: 920430-7
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "TEST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920430\""
|
||||
|
||||
-
|
||||
test_title: 920430-8
|
||||
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920430.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920430-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/1.1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920430\""
|
||||
- test_title: 920430-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/1.0"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920430\""
|
||||
- test_title: 920430-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/0.9"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920430\""
|
||||
- test_title: 920430-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "HTTP/2"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920430\""
|
||||
- # Currently FTW won't process HTTP 1.0 simple response items
|
||||
# This request generates such a response, so even though it will
|
||||
# generate the alert, it will error.
|
||||
test_title: 920430-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: ""
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FN"
|
||||
Host: "localhost"
|
||||
output:
|
||||
expect_error: true
|
||||
- test_title: 920430-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "1.1"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests #FN"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920430\""
|
||||
- test_title: 920430-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
version: "TEST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: "id \"920430\""
|
||||
- test_title: 920430-8
|
||||
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -133,13 +116,10 @@
|
|||
version: HTTP/3.0
|
||||
output:
|
||||
log_contains: id "920430"
|
||||
|
||||
-
|
||||
test_title: 920430-9
|
||||
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920430-9
|
||||
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -157,13 +137,10 @@
|
|||
version: HTTP/0.8
|
||||
output:
|
||||
status: [403, 400]
|
||||
#log_contains: id "920430"
|
||||
-
|
||||
test_title: 920430-10
|
||||
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920430-10
|
||||
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -180,5 +157,5 @@
|
|||
uri: /
|
||||
version: JUNK/1.0
|
||||
output:
|
||||
status: [403, 400]
|
||||
# log_contains: id "920430"
|
||||
status: [403, 400]
|
||||
# log_contains: id "920430"
|
||||
|
|
|
@ -26,7 +26,6 @@ tests:
|
|||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "920440"
|
||||
|
||||
- test_title: 920440-2
|
||||
desc: URL file extension is restricted by policy (920440) from old modsec regressions
|
||||
stages:
|
||||
|
|
|
@ -1,59 +1,50 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git, karelorigin"
|
||||
enabled: true
|
||||
name: "920450.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920450-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-range: "test"
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
-
|
||||
test_title: 920450-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
If: "test"
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
-
|
||||
test_title: 920450-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
lock-token: "test"
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
|
||||
-
|
||||
test_title: 920450-4
|
||||
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git, karelorigin"
|
||||
enabled: true
|
||||
name: "920450.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920450-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-range: "test"
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
- test_title: 920450-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
If: "test"
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
- test_title: 920450-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
lock-token: "test"
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
- test_title: 920450-4
|
||||
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -70,13 +61,10 @@
|
|||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "920450"
|
||||
|
||||
-
|
||||
test_title: 920450-5
|
||||
desc: HTTP header is restricted by policy (920450) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920450-5
|
||||
desc: HTTP header is restricted by policy (920450) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -94,52 +82,43 @@
|
|||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "920450"
|
||||
|
||||
-
|
||||
test_title: 920450-6
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920450\""
|
||||
|
||||
-
|
||||
test_title: 920450-7
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html
|
||||
Accept-Charset: UTF-8
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
|
||||
-
|
||||
test_title: 920450-8
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html
|
||||
Content-Encoding: deflate
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
- test_title: 920450-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920450\""
|
||||
- test_title: 920450-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html
|
||||
Accept-Charset: UTF-8
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
- test_title: 920450-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html
|
||||
Content-Encoding: deflate
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
|
|
|
@ -1,83 +1,73 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920460.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920460-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
uri: "/"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: "*/*"
|
||||
Content-Length: 22
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
data: 'file=cat+/etc/\passw\d'
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920460\""
|
||||
-
|
||||
test_title: 920460-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=cat+/etc/pa\\ssw\\d"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920460\""
|
||||
-
|
||||
test_title: 920460-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=\\c"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920460\""
|
||||
-
|
||||
test_title: 920460-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=\\\\c"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920460\""
|
||||
-
|
||||
test_title: 920460-5
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=\\\\\\c"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920460\""
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
enabled: true
|
||||
name: "920460.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920460-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
uri: "/"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Accept: "*/*"
|
||||
Content-Length: 22
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
data: 'file=cat+/etc/\passw\d'
|
||||
stop_magic: true
|
||||
output:
|
||||
log_contains: "id \"920460\""
|
||||
- test_title: 920460-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=cat+/etc/pa\\ssw\\d"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920460\""
|
||||
- test_title: 920460-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=\\c"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920460\""
|
||||
- test_title: 920460-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=\\\\c"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920460\""
|
||||
- test_title: 920460-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/?file=\\\\\\c"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920460\""
|
||||
|
|
|
@ -1,199 +1,199 @@
|
|||
---
|
||||
meta:
|
||||
author: "lifeforms, Franziska Bühler"
|
||||
enabled: true
|
||||
name: "920470.yaml"
|
||||
description: "Content-Type header format checks"
|
||||
tests:
|
||||
- test_title: 920470-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl"
|
||||
Content-Length: 0
|
||||
output:
|
||||
log_contains: "id \"920470\""
|
||||
- test_title: 920470-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset="UTF-8"; garbage'
|
||||
Content-Length: 0
|
||||
output:
|
||||
log_contains: "id \"920470\""
|
||||
- test_title: 920470-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset=/gar/bage'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "text/plain"
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset=UTF-8'
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset="UTF-8"'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundary12345'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'application/json'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-10
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/mixed; boundary=-----boundary_data:55780(123,45:667)+part'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/mixed; boundary= gc0p4Jq0M2Yt,08/jU534c0p?==:test'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-12
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/form-data; boundary= test_data_123456'
|
||||
Content-Length: 0
|
||||
output:
|
||||
log_contains: "id \"920470\""
|
||||
- test_title: 920470-13
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-14
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
meta:
|
||||
author: "lifeforms, Franziska Bühler"
|
||||
enabled: true
|
||||
name: "920470.yaml"
|
||||
description: "Content-Type header format checks"
|
||||
tests:
|
||||
- test_title: 920470-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl"
|
||||
Content-Length: 0
|
||||
output:
|
||||
log_contains: "id \"920470\""
|
||||
- test_title: 920470-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset="UTF-8"; garbage'
|
||||
Content-Length: 0
|
||||
output:
|
||||
log_contains: "id \"920470\""
|
||||
- test_title: 920470-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset=/gar/bage'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "text/plain"
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset=UTF-8'
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'text/plain; charset="UTF-8"'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundary12345'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'application/json'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-10
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/mixed; boundary=-----boundary_data:55780(123,45:667)+part'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/mixed; boundary= gc0p4Jq0M2Yt,08/jU534c0p?==:test'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-12
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/form-data; boundary= test_data_123456'
|
||||
Content-Length: 0
|
||||
output:
|
||||
log_contains: "id \"920470\""
|
||||
- test_title: 920470-13
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
- test_title: 920470-14
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
port: 80
|
||||
method: POST
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8'
|
||||
Content-Length: 0
|
||||
output:
|
||||
no_log_contains: "id \"920470\""
|
||||
|
|
|
@ -1,240 +1,240 @@
|
|||
---
|
||||
meta:
|
||||
author: "lifeforms"
|
||||
enabled: true
|
||||
name: "920480.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920480-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=UTF-8"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=iso-8859-1"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=ISO-8859-15"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=windows-1252"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
# TODO: this case is not yet handled by 3.1, future work
|
||||
# - test_title: 920480-6
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded; charset=UTF-80" #trailing garbage after 'UTF-8'
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
- test_title: 920480-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=garbage"
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
- test_title: 920480-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=garbage"
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
# TODO: this test should pass (works with curl), to be researched
|
||||
# - test_title: 920480-9
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded; charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
# TODO: this test should pass (works with curl), to be researched
|
||||
# - test_title: 920480-10
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
- test_title: 920480-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=ibm038"
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
# TODO: this case is not yet checked by CRS, future work
|
||||
# - test_title: 920480-12
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded;charset=utf-8;charset=ibm037" #double charset may cause evasion
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
# TODO: this case is not yet checked by CRS, future work
|
||||
# - test_title: 920480-13
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037;charset=UTF-8" #double charset may cause evasion
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
- test_title: 920480-14
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\""
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-15
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded; charset='utf-8'"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-16
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\""
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
meta:
|
||||
author: "lifeforms"
|
||||
enabled: true
|
||||
name: "920480.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920480-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=UTF-8"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=iso-8859-1"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=ISO-8859-15"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=windows-1252"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
# TODO: this case is not yet handled by 3.1, future work
|
||||
# - test_title: 920480-6
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded; charset=UTF-80" #trailing garbage after 'UTF-8'
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
- test_title: 920480-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=garbage"
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
- test_title: 920480-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=garbage"
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
# TODO: this test should pass (works with curl), to be researched
|
||||
# - test_title: 920480-9
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded; charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
# TODO: this test should pass (works with curl), to be researched
|
||||
# - test_title: 920480-10
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
- test_title: 920480-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded;charset=ibm038"
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
# TODO: this case is not yet checked by CRS, future work
|
||||
# - test_title: 920480-12
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded;charset=utf-8;charset=ibm037" #double charset may cause evasion
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
# TODO: this case is not yet checked by CRS, future work
|
||||
# - test_title: 920480-13
|
||||
# stages:
|
||||
# - stage:
|
||||
# input:
|
||||
# dest_addr: "127.0.0.1"
|
||||
# port: 80
|
||||
# method: "POST"
|
||||
# headers:
|
||||
# User-Agent: "ModSecurity CRS 3 Tests"
|
||||
# Host: "localhost"
|
||||
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037;charset=UTF-8" #double charset may cause evasion
|
||||
# data: "test=value"
|
||||
# output:
|
||||
# log_contains: "id \"920480\""
|
||||
- test_title: 920480-14
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\""
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-15
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded; charset='utf-8'"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920480\""
|
||||
- test_title: 920480-16
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
# random other IBM charset
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\""
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920480\""
|
||||
|
|
|
@ -1,51 +1,51 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian Folini"
|
||||
enabled: true
|
||||
name: "920490.yaml"
|
||||
description: "Tests for the charset protection in combination with the x-up-devcap-post-charset header"
|
||||
tests:
|
||||
- test_title: 920490-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "UP ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
x-up-devcap-post-charset: "ibm500"
|
||||
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
|
||||
output:
|
||||
log_contains: "id \"920490\""
|
||||
- test_title: 920490-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
x-up-devcap-post-charset: "ibm500"
|
||||
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
|
||||
output:
|
||||
no_log_contains: "id \"920490\""
|
||||
- test_title: 920490-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "UP ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
|
||||
output:
|
||||
no_log_contains: "id \"920490\""
|
||||
meta:
|
||||
author: "Christian Folini"
|
||||
enabled: true
|
||||
name: "920490.yaml"
|
||||
description: "Tests for the charset protection in combination with the x-up-devcap-post-charset header"
|
||||
tests:
|
||||
- test_title: 920490-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "UP ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
x-up-devcap-post-charset: "ibm500"
|
||||
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
|
||||
output:
|
||||
log_contains: "id \"920490\""
|
||||
- test_title: 920490-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
x-up-devcap-post-charset: "ibm500"
|
||||
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
|
||||
output:
|
||||
no_log_contains: "id \"920490\""
|
||||
- test_title: 920490-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "UP ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
|
||||
output:
|
||||
no_log_contains: "id \"920490\""
|
||||
|
|
|
@ -1,49 +1,49 @@
|
|||
---
|
||||
meta:
|
||||
author: "Andrea Menin"
|
||||
enabled: true
|
||||
name: "920500.yaml"
|
||||
description: "Tests for backup or working file extensions"
|
||||
tests:
|
||||
- test_title: 920500-1
|
||||
desc: "Check request filename ends with ~"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/index.php~"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920500\""
|
||||
- test_title: 920500-2
|
||||
desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/index.php~/foo/bar/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920500\""
|
||||
- test_title: 920500-3
|
||||
desc: "Rules 920500 should not block user dir such as /~user/"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/~user/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920500\""
|
||||
meta:
|
||||
author: "Andrea Menin"
|
||||
enabled: true
|
||||
name: "920500.yaml"
|
||||
description: "Tests for backup or working file extensions"
|
||||
tests:
|
||||
- test_title: 920500-1
|
||||
desc: "Check request filename ends with ~"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/index.php~"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920500\""
|
||||
- test_title: 920500-2
|
||||
desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/index.php~/foo/bar/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
log_contains: "id \"920500\""
|
||||
- test_title: 920500-3
|
||||
desc: "Rules 920500 should not block user dir such as /~user/"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/~user/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
output:
|
||||
no_log_contains: "id \"920500\""
|
||||
|
|
|
@ -1,97 +1,97 @@
|
|||
---
|
||||
meta:
|
||||
author: "Andrea Menin"
|
||||
enabled: true
|
||||
name: "920510.yaml"
|
||||
description: "Cache-Control directives whitelist"
|
||||
tests:
|
||||
- test_title: 920510-1
|
||||
desc: "block request with a response cache-control directive in request"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "private"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-2
|
||||
desc: "block request with an invalid cache-control directive in request"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "foo=bar"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-3
|
||||
desc: "block request with an invalid cache-control directive in request with multiple directives"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "max-age=1, foo=bar"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-4
|
||||
desc: "block request with an invalid cache-control syntax in request with multiple directives"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "max-age=1,,,max-stale=2"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-5
|
||||
desc: "allow request with valid cache-control single directive"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache"
|
||||
output:
|
||||
no_log_contains: "id \"920510\""
|
||||
- test_title: 920510-6
|
||||
desc: "allow request with valid cache-control multiple directive"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "max-age=123, max-stale, no-cache"
|
||||
output:
|
||||
no_log_contains: "id \"920510\""
|
||||
meta:
|
||||
author: "Andrea Menin"
|
||||
enabled: true
|
||||
name: "920510.yaml"
|
||||
description: "Cache-Control directives whitelist"
|
||||
tests:
|
||||
- test_title: 920510-1
|
||||
desc: "block request with a response cache-control directive in request"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "private"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-2
|
||||
desc: "block request with an invalid cache-control directive in request"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "foo=bar"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-3
|
||||
desc: "block request with an invalid cache-control directive in request with multiple directives"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "max-age=1, foo=bar"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-4
|
||||
desc: "block request with an invalid cache-control syntax in request with multiple directives"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "max-age=1,,,max-stale=2"
|
||||
output:
|
||||
log_contains: "id \"920510\""
|
||||
- test_title: 920510-5
|
||||
desc: "allow request with valid cache-control single directive"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache"
|
||||
output:
|
||||
no_log_contains: "id \"920510\""
|
||||
- test_title: 920510-6
|
||||
desc: "allow request with valid cache-control multiple directive"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Cache-Control: "max-age=123, max-stale, no-cache"
|
||||
output:
|
||||
no_log_contains: "id \"920510\""
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
meta:
|
||||
author: "Andrea (theMiddle) Menin"
|
||||
enabled: false
|
||||
name: "920620.yaml"
|
||||
description: "Tests for 920620"
|
||||
tests:
|
||||
- test_title: 920620-1
|
||||
desc: Multiple Content-Type request headers
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg=="
|
||||
output:
|
||||
log_contains: "id \"920620\""
|
|
@ -1,146 +1,130 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian S.J. Peron, Franziska Bühler"
|
||||
description: None
|
||||
enabled: true
|
||||
name: 921110.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 921110-1
|
||||
meta:
|
||||
author: "Christian S.J. Peron, Franziska Bühler"
|
||||
description: None
|
||||
enabled: true
|
||||
name: 921110.yaml
|
||||
tests:
|
||||
- test_title: 921110-1
|
||||
desc: "HTTP Response Splitting"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=%0aPOST / HTTP/1.0"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=%0aPOST / HTTP/1.0"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- test_title: 921110-2
|
||||
desc: "HTTP Response Splitting"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0aGET+/+HTTP/1.1"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0aGET+/+HTTP/1.1"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- test_title: 921110-3
|
||||
desc: "HTTP Response Splitting"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-4
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- test_title: 921110-4
|
||||
desc: "HTTP Response Splitting"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0d%0aGet+/foo%0d"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-5
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0d%0aGet+/foo%0d"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- test_title: 921110-5
|
||||
desc: "HTTP Response Splitting"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0d%0aGet+foo+bar"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
no_log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-6
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cache-Control: "no-cache, no-store, must-revalidate"
|
||||
method: POST
|
||||
port: 80
|
||||
data: "var=aaa%0d%0aGet+foo+bar"
|
||||
version: HTTP/1.0
|
||||
output:
|
||||
no_log_contains: id "921110"
|
||||
- test_title: 921110-6
|
||||
desc: HTTP Request Smuggling bypass with Content-Type text/plain
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
Content-Type: text/plain
|
||||
Content-Length: 36
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-7
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
Content-Type: text/plain
|
||||
Content-Length: 36
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- test_title: 921110-7
|
||||
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
-
|
||||
test_title: 921110-8
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- test_title: 921110-8
|
||||
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
|
||||
output:
|
||||
log_contains: id "921110"
|
||||
|
|
|
@ -1,70 +1,62 @@
|
|||
---
|
||||
meta:
|
||||
author: csanders-git, Franziska Bühler
|
||||
description: None
|
||||
enabled: true
|
||||
name: 921120.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 921120-1
|
||||
meta:
|
||||
author: csanders-git, Franziska Bühler
|
||||
description: None
|
||||
enabled: true
|
||||
name: 921120.yaml
|
||||
tests:
|
||||
- test_title: 921120-1
|
||||
desc: HTTP response splitting (921120) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
|
||||
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
|
||||
*/*
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-sg
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921120"
|
||||
-
|
||||
test_title: 921120-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-sg
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921120"
|
||||
- test_title: 921120-2
|
||||
desc: "HTTP Response splitting attack"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: "/file.jsp?somevar=foobar%0d%0aContent-Length:%2002343432423<html>ftw</html>"
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921120"
|
||||
-
|
||||
test_title: 921120-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: "/file.jsp?somevar=foobar%0d%0aContent-Length:%2002343432423<html>ftw</html>"
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921120"
|
||||
- test_title: 921120-3
|
||||
desc: "Fix FP issue 1615. Header followed by word chars."
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921120"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921120"
|
||||
|
|
|
@ -1,83 +1,73 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git, Franziska Bühler"
|
||||
description: None
|
||||
enabled: true
|
||||
name: 921130.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 921130-1
|
||||
meta:
|
||||
author: "csanders-git, Franziska Bühler"
|
||||
description: None
|
||||
enabled: true
|
||||
name: 921130.yaml
|
||||
tests:
|
||||
- test_title: 921130-1
|
||||
desc: HTTP response splitting (921130) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
|
||||
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
|
||||
*/*
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-sg
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
-
|
||||
test_title: 921130-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-sg
|
||||
Host: localhost
|
||||
Keep-Alive: '300'
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
- test_title: 921130-2
|
||||
desc: "HTTP Response splitting attack: cookie data"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cookie: "oreo=munchmuch%0d%0a%0d%0a<HTML><title></title></HTML>"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
-
|
||||
test_title: 921130-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
Cookie: "oreo=munchmuch%0d%0a%0d%0a<HTML><title></title></HTML>"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
- test_title: 921130-3
|
||||
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
-
|
||||
test_title: 921130-4
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
- test_title: 921130-4
|
||||
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Accept: "*/*"
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
|
||||
output:
|
||||
log_contains: id "921130"
|
||||
|
|
|
@ -1,40 +1,36 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian S.J. Peron"
|
||||
enabled: true
|
||||
name: "921140.yaml"
|
||||
description: "Tests for protocol based attacks"
|
||||
tests:
|
||||
-
|
||||
test_title: 921140-1
|
||||
desc: "HTTP Header Injection Attack via headers"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
|
||||
uri: "/"
|
||||
output:
|
||||
status: 400
|
||||
no_log_contains: "id:921140"
|
||||
-
|
||||
test_title: 921140-2
|
||||
desc: "HTTP Header Injection Attack via headers"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
SomeHeader: "Headerdata%0dInjectedHeader: response_splitting_code"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id:921140"
|
||||
meta:
|
||||
author: "Christian S.J. Peron"
|
||||
enabled: true
|
||||
name: "921140.yaml"
|
||||
description: "Tests for protocol based attacks"
|
||||
tests:
|
||||
- test_title: 921140-1
|
||||
desc: "HTTP Header Injection Attack via headers"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
|
||||
uri: "/"
|
||||
output:
|
||||
status: [400]
|
||||
no_log_contains: "id:921140"
|
||||
- test_title: 921140-2
|
||||
desc: "HTTP Header Injection Attack via headers"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
SomeHeader: "Headerdata%0dInjectedHeader: response_splitting_code"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: "id:921140"
|
||||
|
|
|
@ -1,23 +1,21 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian S.J. Peron"
|
||||
enabled: true
|
||||
name: "921150.yaml"
|
||||
description: "Tests for protocol based attacks"
|
||||
tests:
|
||||
-
|
||||
test_title: 921150-1
|
||||
desc: "HTTP Header Injection Attack via payload"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script.jsp?variableX=bar&variable2=Y&%0d%0restofdata"
|
||||
output:
|
||||
log_contains: "id \"921150\""
|
||||
meta:
|
||||
author: "Christian S.J. Peron"
|
||||
enabled: true
|
||||
name: "921150.yaml"
|
||||
description: "Tests for protocol based attacks"
|
||||
tests:
|
||||
- test_title: 921150-1
|
||||
desc: "HTTP Header Injection Attack via payload"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script.jsp?variableX=bar&variable2=Y&%0d%0restofdata"
|
||||
output:
|
||||
log_contains: "id \"921150\""
|
||||
|
|
|
@ -1,87 +1,77 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian S.J. Peron"
|
||||
enabled: true
|
||||
name: "921160.yaml"
|
||||
description: "Tests for protocol based attacks"
|
||||
tests:
|
||||
-
|
||||
test_title: 921160-1
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
-
|
||||
test_title: 921160-2
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
-
|
||||
test_title: 921160-3
|
||||
desc: "HTTP Header Injection Attack via payload: w/header"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
-
|
||||
test_title: 921160-4
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
-
|
||||
test_title: 921160-5
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&%0d%0aRemote-addr:%20foo.bar.com=Y"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
meta:
|
||||
author: "Christian S.J. Peron"
|
||||
enabled: true
|
||||
name: "921160.yaml"
|
||||
description: "Tests for protocol based attacks"
|
||||
tests:
|
||||
- test_title: 921160-1
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
- test_title: 921160-2
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
- test_title: 921160-3
|
||||
desc: "HTTP Header Injection Attack via payload: w/header"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
- test_title: 921160-4
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
- test_title: 921160-5
|
||||
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "GET"
|
||||
port: 80
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-agent: "user agent"
|
||||
uri: "/script_rule921160.jsp?variableX=bar&%0d%0aRemote-addr:%20foo.bar.com=Y"
|
||||
output:
|
||||
log_contains: id "921160"
|
||||
|
|
|
@ -1,63 +1,59 @@
|
|||
---
|
||||
meta:
|
||||
author: "Andrea Menin (theMiddle)"
|
||||
description: "HTTP Splitting"
|
||||
enabled: true
|
||||
name: 921190.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 921190-1
|
||||
meta:
|
||||
author: "Andrea Menin (theMiddle)"
|
||||
description: "HTTP Splitting"
|
||||
enabled: true
|
||||
name: 921190.yaml
|
||||
tests:
|
||||
- test_title: 921190-1
|
||||
desc: "New line char in request filename (1)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/foo%0Abar"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
-
|
||||
test_title: 921190-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/foo%0Abar"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
- test_title: 921190-2
|
||||
desc: "New line char in request filename (2)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/foo%0abar"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
-
|
||||
test_title: 921190-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/foo%0abar"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
- test_title: 921190-3
|
||||
desc: "FastCGI variable injection: Nginx + PHP-FPM (CVE-2019-11043)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/index.php/PHP%0Ainfo.php?QQQ"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
-
|
||||
test_title: 921190-4
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/index.php/PHP%0Ainfo.php?QQQ"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
- test_title: 921190-4
|
||||
desc: "PHP Settings injection: Nginx + PHP-FPM (CVE-2019-11043)"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQ"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
uri: "/index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQ"
|
||||
output:
|
||||
log_contains: id "921190"
|
||||
|
|
|
@ -1,167 +1,157 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian Folini"
|
||||
description: "LDAP injection"
|
||||
enabled: true
|
||||
name: 921200.yaml
|
||||
tests:
|
||||
-
|
||||
test_title: 921200-1
|
||||
meta:
|
||||
author: "Christian Folini"
|
||||
description: "LDAP injection"
|
||||
enabled: true
|
||||
name: 921200.yaml
|
||||
tests:
|
||||
- test_title: 921200-1
|
||||
desc: "Testing for FP, this should not trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
method: POST
|
||||
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-2
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
method: POST
|
||||
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "921200"
|
||||
- test_title: 921200-2
|
||||
desc: "Testing for FP, this should not trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
method: POST
|
||||
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-3
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
method: POST
|
||||
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "921200"
|
||||
- test_title: 921200-3
|
||||
desc: "Testing for FP, this should not trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
method: POST
|
||||
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-4
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
port: 80
|
||||
method: POST
|
||||
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
|
||||
uri: "/"
|
||||
output:
|
||||
no_log_contains: id "921200"
|
||||
- test_title: 921200-4
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=bar)(%26)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-5
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=bar)(%26)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- test_title: 921200-5
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=printer)(uid=*)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-6
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=printer)(uid=*)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- test_title: 921200-6
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-7
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- test_title: 921200-7
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=eb9adbd87d)!(sn=*"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-8
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=eb9adbd87d)!(sn=*"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- test_title: 921200-8
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=*)!(sn=*"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-9
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=*)!(sn=*"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- test_title: 921200-9
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=*)(uid=*))(|(uid=*"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
-
|
||||
test_title: 921200-10
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=*)(uid=*))(|(uid=*"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- test_title: 921200-10
|
||||
desc: "Testing for rule, this should trigger"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=aaa*aaa)(cn>=bob)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
method: POST
|
||||
data: "foo=aaa*aaa)(cn>=bob)"
|
||||
uri: "/"
|
||||
port: 80
|
||||
output:
|
||||
log_contains: id "921200"
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue