librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

initial work

This commit is contained in:
bunkerity 2019-08-20 21:25:16 +00:00
parent 70f849fbb5
commit e90060ce68
82 changed files with 18602 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Dockerfile Normal file
View File

@ -0,0 +1,22 @@
FROM alpine
COPY compile.sh /tmp/compile.sh
RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY entrypoint.sh /opt/entrypoint.sh
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /www && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
VOLUME /www
EXPOSE 80
EXPOSE 443
ENTRYPOINT ["/opt/entrypoint.sh"]

37
compile.sh Normal file
View File

@ -0,0 +1,37 @@
#/bin/sh
NTASK=$(($(nproc)*2))
# install build dependencies
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev
# compile and install ModSecurity library
cd /tmp
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
./build.sh
git submodule init
git submodule update
./configure --enable-static=no --disable-doxygen-doc --disable-dependency-tracking
make -j $NTASK
make install-strip
# get nginx modules
cd /tmp
# ModSecurity connector for nginx
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
# headers more
git clone https://github.com/openresty/headers-more-nginx-module.git
# geoip
git clone https://github.com/leev/ngx_http_geoip2_module.git
# compile and install nginx
cd /tmp
git clone https://github.com/nginx/nginx.git
cd nginx
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module
make -j $NTASK
make install
# remove build dependencies
apk del build

8
confs/auto-lets-encrypt.conf Normal file
View File

@ -0,0 +1,8 @@
listen 0.0.0.0:443 ssl %HTTP2%;
server_name %SERVER_NAME%;
ssl_certificate /etc/letsencrypt/live/%SERVER_NAME%/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME%/privkey.pem;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
%STRICT_TRANSPORT_SECURITY%

3
confs/block-user-agent.conf Normal file
View File

@ -0,0 +1,3 @@
if ($bad_user_agent = yes) {
return 444;
}

4
confs/cache.conf Normal file
View File

@ -0,0 +1,4 @@
open_file_cache %CACHE%;
open_file_cache_errors %CACHE_ERRORS%;
open_file_cache_min_uses %CACHE_USES%;
open_file_cache_valid %CACHE_VALID%;

4
confs/disable-default-server.conf Normal file
View File

@ -0,0 +1,4 @@
server {
listen 0.0.0.0:80 default_server;
return 444;
}

7
confs/error.conf Normal file
View File

@ -0,0 +1,7 @@
error_page %CODE% %PAGE%;
location = %PAGE% {
root /www;
modsecurity off;
internal;
}

1
confs/feature-policy.conf Normal file
View File

@ -0,0 +1 @@
more_set_headers "Feature-Policy: %FEATURE_POLICY%";

7
confs/geoip.conf Normal file
View File

@ -0,0 +1,7 @@
map $geoip2_data_country_code $allowed_country {
default yes;
%BLOCK_COUNTRY%
}
if ($allowed_country = no) {
return 403;
}

9
confs/gzip.conf Normal file
View File

@ -0,0 +1,9 @@
# /etc/nginx/gzip.conf
# enable/disable gzip compression
gzip %USE_GZIP%;
gzip_comp_level %GZIP_COMP_LEVEL%;
gzip_disable msie6;
gzip_min_length %GZIP_MIN_LENGTH%;
gzip_proxied any;
gzip_types %GZIP_TYPES%;

4
confs/map-user-agent.conf Normal file
View File

@ -0,0 +1,4 @@
map $http_user_agent $bad_user_agent {
default no;
%BLOCK_USER_AGENT%
}

59
confs/modsecurity-rules.conf Normal file
View File

@ -0,0 +1,59 @@
# process rules with disruptive actions
SecRuleEngine On
# allow body checks
SecRequestBodyAccess On
# enable XML parsing
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# enable JSON parsing
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# maximum data size
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# reject requests if bigger than max data size
SecRequestBodyLimitAction Reject
# reject if we can't process the body
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# be strict with multipart/form-data body
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# enable response body checks
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/json
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
# log usefull stuff
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
# include OWASP CRS rules
include /etc/nginx/owasp-crs.conf
include /etc/nginx/owasp-crs/*.conf

2
confs/modsecurity.conf Normal file
View File

@ -0,0 +1,2 @@
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;

85
confs/nginx.conf Normal file
View File

@ -0,0 +1,85 @@
# /etc/nginx/nginx.conf
# do not run as daemon
daemon off;
# do NOT run as root
user nginx;
# worker number = CPU core(s)
worker_processes auto;
# faster regexp
pcre_jit on;
# display warnings and errors on stderr
error_log stderr warn;
# config files for dynamic modules
include /etc/nginx/modules/*.conf;
events {
# max connections per worker
worker_connections 1024;
# epoll seems to be the best on Linux
use epoll;
}
http {
# zero copy within the kernel
sendfile on;
# send packets only if filled
tcp_nopush on;
# remove 200ms delay
tcp_nodelay on;
# load mime types and set default one
include /etc/nginx/mime.types;
default_type application/octet-stream;
# load gzip custom config
include /etc/nginx/gzip.conf;
# maximum request body size
client_max_body_size %MAX_CLIENT_SIZE%;
# load caching custom config
include /etc/nginx/cache.conf;
# close connections in FIN_WAIT1 state
reset_timedout_connection on;
# timeouts
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
# enable/disable sending nginx version
server_tokens %SERVER_TOKENS%;
# display standard logs on stdout
access_log /dev/stdout;
# server config
include /etc/nginx/server.conf;
# disable default server
%DISABLE_DEFAULT_SERVER%
# geoip2 config
geoip2 /etc/nginx/geoip.mmdb {
auto_reload 5m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code country iso_code;
}
# check if user agent is blocked
%BLOCK_USER_AGENT%
# enable ModSecurity
%USE_MODSECURITY%
}

845
confs/owasp-crs.conf Normal file
View File

@ -0,0 +1,845 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -- [[ Introduction ]] --------------------------------------------------------
#
# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
# detection rules that provide a base level of protection for any web
# application. They are written for the open source, cross-platform
# ModSecurity Web Application Firewall.
#
# See also:
# https://coreruleset.org/
# https://github.com/SpiderLabs/owasp-modsecurity-crs
# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
#
#
# -- [[ System Requirements ]] -------------------------------------------------
#
# CRS requires ModSecurity version 2.8.0 or above.
# We recommend to always use the newest ModSecurity version.
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings (modsecurity.conf) such as SecRuleEngine,
# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing.
#
# The CRS assumes that modsecurity.conf has been loaded. It is bundled with
# ModSecurity. If you don't have it, you can get it from:
# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended
# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
#
# The order of file inclusion in your webserver configuration should always be:
# 1. modsecurity.conf
# 2. crs-setup.conf (this file)
# 3. rules/*.conf (the CRS rule files)
#
# Please refer to the INSTALL file for detailed installation instructions.
#
#
# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] ---------------
#
# The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
#
# -- [[ Alert Logging Control ]] --
# In the mode configuration, you must also adjust the desired logging options.
# There are three common options for dealing with logging. By default CRS enables
# logging to the webserver error log (or Event viewer) plus detailed logging to
# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf).
#
# - To log to both error log and ModSecurity audit log file, use: "log,auditlog"
# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog"
# - To log *only* to the error log file, use: "log,noauditlog"
#
# Examples for the various modes follow.
# You must leave one of the following options enabled.
# Note that you must specify the same line for phase:1 and phase:2.
#
# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
# Example: Anomaly Scoring mode, log only to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,nolog,auditlog,pass"
# SecDefaultAction "phase:2,nolog,auditlog,pass"
# Example: Self-contained mode, return error 403 on blocking
# - In this configuration the default disruptive action becomes 'deny'. After a
# rule triggers, it will stop processing the request and return an error 403.
# - You can also use a different error status, such as 404, 406, et cetera.
# - In Apache, you can use ErrorDocument to show a friendly error page or
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
# SecDefaultAction "phase:2,log,auditlog,deny,status:403"
# Example: Self-contained mode, redirect back to homepage on blocking
# - In this configuration the 'tag' action includes the Host header data in the
# log. This helps to identify which virtual host triggered the rule (if any).
# - Note that this might cause redirect loops in some situations; for example
# if a Cookie or User-Agent header is blocked, it will also be blocked when
# the client subsequently tries to access the homepage. You can also redirect
# to another custom URL.
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
#
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
# are enabled. PL1 is advised for beginners, installations
# covering many different sites and applications, and for setups
# with standard security requirements.
# At PL1 you should face FPs rarely. If you encounter FPs, please
# open an issue on the CRS GitHub site and don't forget to attach your
# complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
# many regexp-based SQL and XSS injection protections, and adding
# extra keywords checked for code injections. PL2 is advised
# for moderate to experienced users desiring more complete coverage
# and for installations with elevated security requirements.
# PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
# limits on special characters used. PL3 is aimed at users experienced
# at the handling of FPs and at installations with a high security
# requirement.
# - Paranoia level 4 further restricts special characters.
# The highest level is advised for experienced users protecting
# installations with very high security requirements. Running PL4 will
# likely produce a very high number of FPs which have to be
# treated before the site can go productive.
#
# Rules in paranoia level 2 or higher will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900000,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.paranoia_level=1"
# It is possible to execute rules from a higher paranoia level but not include
# them in the anomaly scoring. This allows you to take a well-tuned system on
# paranoia level 1 and add rules from paranoia level 2 without having to fear
# the new rules would lead to false positives that raise your score above the
# threshold.
# This optional feature is enabled by uncommenting the following rule and
# setting the tx.executing_paranoia_level.
# Technically, rules up to the level defined in tx.executing_paranoia_level
# will be executed, but only the rules up to tx.paranoia_level affect the
# anomaly scores.
# By default, tx.executing_paranoia_level is set to tx.paranoia_level.
# tx.executing_paranoia_level must not be lower than tx.paranoia_level.
#
# Please notice that setting tx.executing_paranoia_level to a higher paranoia
# level results in a performance impact that is equally high as setting
# tx.paranoia_level to said level.
#
#SecAction \
# "id:900001,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.executing_paranoia_level=1"
#
# -- [[ Enforce Body Processor URLENCODED ]] -----------------------------------
#
# ModSecurity selects the body processor based on the Content-Type request
# header. But clients are not always setting the Content-Type header for their
# request body payloads. This will leave ModSecurity with limited vision into
# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the
# URLENCODED body processor in these situations. This is off by default, as it
# implies a change of the behaviour of ModSecurity beyond CRS (the body
# processor applies to all rules, not only CRS) and because it may lead to
# false positives already on paranoia level 1. However, enabling this variable
# closes a possible bypass of CRS so it should be considered.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900010,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.enforce_bodyproc_urlencoded=1"
#
# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
#
# Each rule in the CRS has an associated severity level.
# These are the default scoring points for each severity level.
# These settings will be used to increment the anomaly score if a rule matches.
# You may adjust these points to your liking, but this is usually not needed.
#
# - CRITICAL severity: Anomaly Score of 5.
# Mostly generated by the application attack rules (93x and 94x files).
# - ERROR severity: Anomaly Score of 4.
# Generated mostly from outbound leakage rules (95x files).
# - WARNING severity: Anomaly Score of 3.
# Generated mostly by malicious client rules (91x files).
# - NOTICE severity: Anomaly Score of 2.
# Generated mostly by the protocol rules (92x files).
#
# In anomaly mode, these scores are cumulative.
# So it's possible for a request to hit multiple rules.
#
# (Note: In this file, we use 'phase:1' to set CRS configuration variables.
# In general, 'phase:request' is used. However, we want to make absolutely sure
# that all configuration variables are set before the CRS rules are processed.)
#
#SecAction \
# "id:900100,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
# setvar:tx.notice_anomaly_score=2"
#
# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
#
# Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked.
#
# Most detected inbound threats will give a critical score of 5.
# Smaller violations, like violations of protocol/standards, carry lower scores.
#
# [ At default value ]
# If you keep the blocking thresholds at the defaults, the CRS will work
# similarly to previous CRS versions: a single critical rule match will cause
# the request to be blocked and logged.
#
# [ Using higher values ]
# If you want to make the CRS less sensitive, you can increase the blocking
# thresholds, for instance to 7 (which would require multiple rule matches
# before blocking) or 10 (which would require at least two critical alerts - or
# a combination of many lesser alerts), or even higher. However, increasing the
# thresholds might cause some attacks to bypass the CRS rules or your policies.
#
# [ New deployment strategy: Starting high and decreasing ]
# It is a common practice to start a fresh CRS installation with elevated
# anomaly scoring thresholds (>100) and then lower the limits as your
# confidence in the setup grows. You may also look into the Sampling
# Percentage section below for a different strategy to ease into a new
# CRS installation.
#
# [ Anomaly Threshold / Paranoia Level Quadrant ]
#
# High Anomaly Limit | High Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Fresh Site | -> Experimental Site
# ------------------------------------------------------
# Low Anomaly Limit | Low Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Standard Site | -> High Security Site
#
# Uncomment this rule to change the defaults:
#
#SecAction \
# "id:900110,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
#
# -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
#
# Some well-known applications may undertake actions that appear to be
# malicious. This includes actions such as allowing HTML or Javascript within
# parameters. In such cases the CRS aims to prevent false positives by allowing
# administrators to enable prebuilt, application specific exclusions on an
# application by application basis.
# These application specific exclusions are distinct from the rules that would
# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as
# they are prebuilt for specific applications. The 'REQUEST-900' file is
# designed for users to add their own custom exclusions. Note, using these
# application specific exclusions may loosen restrictions of the CRS,
# especially if used with an application they weren't designed for. As a result
# they should be applied with care.
# To use this functionality you must specify a supported application. To do so
# uncomment rule 900130. In addition to uncommenting the rule you will need to
# specify which application(s) you'd like to enable exclusions for. Only a
# (very) limited set of applications are currently supported, please use the
# filenames prefixed with 'REQUEST-903' to guide you in your selection.
# Such filenames use the following convention:
# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf
#
# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1
#
# Modify and uncomment this rule to select which application:
#
#SecAction \
# "id:900130,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.crs_exclusions_drupal=1,\
# setvar:tx.crs_exclusions_wordpress=1,\
# setvar:tx.crs_exclusions_nextcloud=1,\
# setvar:tx.crs_exclusions_dokuwiki=1,\
# setvar:tx.crs_exclusions_cpanel=1"
#
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
#
# This section defines your policies for the HTTP protocol, such as:
# - allowed HTTP versions, HTTP methods, allowed request Content-Types
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy)
#
# These variables are used in the following rule files:
# - REQUEST-911-METHOD-ENFORCEMENT.conf
# - REQUEST-912-DOS-PROTECTION.conf
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf
# HTTP methods that a client is allowed to use.
# Default: GET HEAD POST OPTIONS
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
# Uncomment this rule to change the default.
#SecAction \
# "id:900200,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
# application/xml|application/soap+xml|application/x-amf|application/json|\
# application/octet-stream|text/plain
# Uncomment this rule to change the default.
#SecAction \
# "id:900220,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
# Content-Types charsets that a client is allowed to send in a request.
# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
# Uncomment this rule to change the default.
# Use "|" to separate multiple charsets like in the rule defining
# tx.allowed_request_content_type.
#SecAction \
# "id:900270,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
# Allowed HTTP versions.
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so
# we include both version strings by default.
# Uncomment this rule to change the default.
#SecAction \
# "id:900230,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Forbidden file extensions.
# Guards against unintended exposure of development/configuration files.
# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
# Uncomment this rule to change the default.
#SecAction \
# "id:900240,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Forbidden request headers.
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/
# Uncomment this rule to change the default.
#SecAction \
# "id:900250,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
# File extensions considered static files.
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
# Used in DoS protection rule. See section "Anti-Automation / DoS Protection".
# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
# Uncomment this rule to change the default.
#SecAction \
# "id:900260,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
#
# -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
#
# Here you can define optional limits on HTTP get/post parameters and uploads.
# This can help to prevent application specific DoS attacks.
#
# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf.
# Beware of blocking legitimate traffic when enabling these limits.
#
# Block request if number of arguments is too high
# Default: unlimited
# Example: 255
# Uncomment this rule to set a limit.
#SecAction \
# "id:900300,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
# Default: unlimited
# Example: 100
# Uncomment this rule to set a limit.
#SecAction \
# "id:900310,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
# Default: unlimited
# Example: 400
# Uncomment this rule to set a limit.
#SecAction \
# "id:900320,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
# Default: unlimited
# Example: 64000
# Uncomment this rule to set a limit.
#SecAction \
# "id:900330,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900340,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900350,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.combined_file_sizes=1048576"
#
# -- [[ Easing In / Sampling Percentage ]] -------------------------------------
#
# Adding the Core Rule Set to an existing productive site can lead to false
# positives, unexpected performance issues and other undesired side effects.
#
# It can be beneficial to test the water first by enabling the CRS for a
# limited number of requests only and then, when you have solved the issues (if
# any) and you have confidence in the setup, to raise the ratio of requests
# being sent into the ruleset.
#
# Adjust the percentage of requests that are funnelled into the Core Rules by
# setting TX.sampling_percentage below. The default is 100, meaning that every
# request gets checked by the CRS. The selection of requests, which are going
# to be checked, is based on a pseudo random number generated by ModSecurity.
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# written. If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
#
# SecRuleUpdateActionById 901150 "nolog"
#
# ATTENTION: If this TX.sampling_percentage is below 100, then some of the
# requests will bypass the Core Rules completely and you lose the ability to
# protect your service with ModSecurity.
#
# Uncomment this rule to enable this feature:
#
#SecAction "id:900400,\
# phase:1,\
# pass,\
# nolog,\
# setvar:tx.sampling_percentage=100"
#
# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------
#
# Optionally, you can check the client IP address against the Project Honey Pot
# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a
# free API key. Set it here with SecHttpBlKey.
#
# Project Honeypot returns multiple different malicious IP types.
# You may specify which you want to block by enabling or disabling them below.
#
# Ref: https://www.projecthoneypot.org/httpbl.php
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#
# Uncomment these rules to use this feature:
#
#SecHttpBlKey XXXXXXXXXXXXXXXXX
#SecAction "id:900500,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.block_search_ip=1,\
# setvar:tx.block_suspicious_ip=1,\
# setvar:tx.block_harvester_ip=1,\
# setvar:tx.block_spammer_ip=1"
#
# -- [[ GeoIP Database ]] ------------------------------------------------------
#
# There are some rulesets that inspect geolocation data of the client IP address
# (geoLookup). The CRS uses geoLookup to implement optional country blocking.
#
# To use geolocation, we make use of the MaxMind GeoIP database.
# This database is not included with the CRS and must be downloaded.
# You should also update the database regularly, for instance every month.
# The CRS contains a tool to download it to util/geo-location/GeoIP.dat:
# util/upgrade.py --geoip
#
# This product includes GeoLite data created by MaxMind, available from:
# http://www.maxmind.com.
#
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
# Uncomment this rule to use this feature:
#
#SecGeoLookupDB util/geo-location/GeoIP.dat
#
# -=[ Block Countries ]=-
#
# Rules in the IP Reputation file can check the client against a list of high
# risk country codes. These countries have to be defined in the variable
# tx.high_risk_country_codes via their ISO 3166 two-letter country code:
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
#
# If you are sure that you are not getting any legitimate requests from a given
# country, then you can disable all access from that country via this variable.
# The rule performing the test has the rule id 910100.
#
# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be
# downloaded (see the section "GeoIP Database" above.)
#
# By default, the list is empty. A list used by some sites was the following:
# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900600,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.high_risk_country_codes='"
#
# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------
#
# Optional DoS protection against clients making requests too quickly.
#
# When a client is making more than 100 requests (excluding static files) within
# 60 seconds, this is considered a 'burst'. After two bursts, the client is
# blocked for 600 seconds.
#
# Requests to static files are not counted towards DoS; they are listed in the
# 'tx.static_extensions' setting, which you can change in this file (see
# section "HTTP Policy Settings").
#
# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900700,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.dos_burst_time_slice=60',\
# setvar:'tx.dos_counter_threshold=100',\
# setvar:'tx.dos_block_timeout=600'"
#
# -- [[ Check UTF-8 encoding ]] ------------------------------------------------
#
# The CRS can optionally check request contents for invalid UTF-8 encoding.
# We only want to apply this check if UTF-8 encoding is actually used by the
# site; otherwise it will result in false positives.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900950,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.crs_validate_utf8_encoding=1"
#
# -- [[ Blocking Based on IP Reputation ]] ------------------------------------
#
# Blocking based on reputation is permanent in the CRS. Unlike other rules,
# which look at the indvidual request, the blocking of IPs is based on
# a persistent record in the IP collection, which remains active for a
# certain amount of time.
#
# There are two ways an individual client can become flagged for blocking:
# - External information (RBL, GeoIP, etc.)
# - Internal information (Core Rules)
#
# The record in the IP collection carries a flag, which tags requests from
# individual clients with a flag named IP.reput_block_flag.
# But the flag alone is not enough to have a client blocked. There is also
# a global switch named tx.do_reput_block. This is off by default. If you set
# it to 1 (=On), requests from clients with the IP.reput_block_flag will
# be blocked for a certain duration.
#
# Variables
# ip.reput_block_flag Blocking flag for the IP collection record
# ip.reput_block_reason Reason (= rule message) that caused to blocking flag
# tx.do_reput_block Switch deciding if we really block based on flag
# tx.reput_block_duration Setting to define the duration of a block
#
# It may be important to know, that all the other core rules are skipped for
# requests, when it is clear that they carry the blocking flag in question.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900960,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.do_reput_block=1"
#
# Uncomment this rule to change the blocking time:
# Default: 300 (5 minutes)
#
#SecAction \
# "id:900970,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.reput_block_duration=300"
#
# -- [[ Collection timeout ]] --------------------------------------------------
#
# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
# to a lower setting which is appropriate to most sites.
# This increases performance by cleaning out stale collection (block) entries.
#
# This value should be greater than or equal to:
# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and
# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection").
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout
# Please keep this directive uncommented.
# Default: 600 (10 minutes)
SecCollectionTimeout 600
#
# -- [[ Debug Mode ]] ----------------------------------------------------------
#
# To enable rule development and debugging, CRS has an optional debug mode
# that does not block a request, but instead sends detection information
# back to the HTTP client.
#
# This functionality is currently only supported with the Apache web server.
# The Apache mod_headers module is required.
#
# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
# response headers whenever a debug client makes a request. Example:
#
# # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
# X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
# TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
# TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
# X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
#
# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
# This file resides in a separate folder, as it is not compatible with
# nginx and IIS.
#
# You must specify the source IP address/network where you will be running the
# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
# response headers as specified above. Be careful to only list your private
# IP addresses/networks here.
#
# Tip: for regression testing of CRS or your own ModSecurity rules, you may
# be interested in using the OWASP CRS regression testing suite instead.
# View the file util/regression-tests/README for more information.
#
# Uncomment these rules, filling in your CRS path and the source IP address,
# to enable debug mode:
#
#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
# "id:900980,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# ctl:ruleEngine=DetectionOnly,\
# setvar:tx.crs_debug_mode=1"
#
# -- [[ End of setup ]] --------------------------------------------------------
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# has been loaded. If you are not planning to use this setup template,
# you must manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecAction \
"id:900990,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=311"

165
confs/owasp-crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example Normal file
View File

@ -0,0 +1,165 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site. The
# types of rules that would go into this file are one where you want to
# short-circuit inspection and allow certain transactions to pass through
# inspection or if you want to alter rules that are applied.
#
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
# very specific reason. Files affixed with the .example extension are designed
# to contain user created/modified data. The '.example'. extension should be
# renamed to end in .conf. The advantage of this is that when OWASP CRS is
# updated, the updates will not overwrite a user generated configuration file.
#
# As a result of this design paradigm users are encouraged NOT to directly
# modify rules. Instead they should use this
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
# methods similar to the examples specified below.
#
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
# effectively maintains two different context: startup, and per transaction.
# As a rule, directives are processed within the startup context. While they
# can affect the per transaction context they generally remain fixed during the
# execution of ModSecurity.
#
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
# directive or one of its siblings would have to be placed AFTER the rule is
# listed, otherwise it will not have knowledge of the rules existence (since
# these rules are read in at the same time). This means that when using
# directives that effect SecRules, these exceptions should be placed AFTER all
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
# designed such that it loads LAST.
#
# Conversely, ModSecurity supports several actions that can change the state of
# the underlying configuration during the per transaction context, this is when
# rules are being processed. Generally, these are accomplished by using the
# 'ctl' action. As these are part of a rule, they will be evaluated in the
# order rules are applied (by physical location, considering phases). As a
# result of this ordering a 'ctl' action should be placed with consideration to
# when it will be executed. This is particularly relevant for the 'ctl' options
# that involve modifying ID's (such as ruleRemoveById). In these cases it is
# important that such rules are placed BEFORE the rule ID they will affect.
# Unlike the setup context, by the time we process rules in the per-transaction
# context, we are already aware of all the rule ID's. It is by this logic that
# we include rules such as this BEFORE all the remaining rules. As a result
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
#
# As a general rule:
# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
#
# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
#
#
# What follows are a group of examples that show you how to perform rule
# exclusions.
#
#
# Example Exclusion Rule: Disable inspection for an authorized client
#
# This ruleset allows you to control how ModSecurity will handle traffic
# originating from Authorized Vulnerability Scanning (AVS) sources. See
# related blog post -
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
#
# White-list ASV network block (no blocking or logging of AVS traffic) Update
# IP network block as appropriate for your AVS traffic
#
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
# "id:1000,\
# phase:1,\
# pass,\
# nolog,\
# ctl:ruleEngine=Off"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for an individual rule
#
# This rule shows how to conditionally exclude the "password"
# parameter for rule 942100 when the REQUEST_URI is /index.php
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
#
# SecRule REQUEST_URI "@beginsWith /index.php" \
# "id:1001,\
# phase:1,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetById=942100;ARGS:password"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for only certain attacks
#
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all rules tagged attack-sqli
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1002,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for all CRS rules
#
# This rule illustrates that we can use tagging very effectively to whitelist a
# common false positive across an entire ModSecurity instance. This can be done
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
# affect custom rules.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all CRS rules
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1003,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
#
# Example Exclusion Rule: Removing a range of rules
#
# This rule illustrates that we can remove a rule range via a ctl action.
# This uses the fact, that rules are grouped by topic in rule files covering
# a certain id range.
#
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
# SecRule REQUEST_FILENAME "@beginsWith /admin" \
# "id:1004,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveById=941000-942999"
#
#
# The application specific rule exclusion files
# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
# bring additional examples which can be useful then tuning a service.

424
confs/owasp-crs/REQUEST-901-INITIALIZATION.conf Normal file
View File

@ -0,0 +1,424 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
# and performs preparatory actions. It also fixes errors and omissions
# of variable definitions in the file crs-setup.conf.
# The setup.conf can and should be edited by the user, this file
# is part of the CRS installation and should not be altered.
#
#
# -=[ Rules Version ]=-
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.1.1"
#
# -=[ Default setup values ]=-
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# file is included at the correct time. This detects situations where
# necessary settings are not defined, for instance if the file
# inclusion order is incorrect, or if the user has forgotten to
# include the crs-setup.conf file.
#
# If you are upgrading from an earlier version of the CRS and you are
# getting this error, please make a new copy of the setup template
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
# changes. There have been many changes in settings syntax from CRS2
# to CRS3, so an old setup file may cause unwanted behavior.
#
# If you are not planning to use the crs-setup.conf template, you must
# manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecRule &TX:crs_setup_version "@eq 0" \
"id:901001,\
phase:1,\
deny,\
status:500,\
log,\
auditlog,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.',\
severity:'CRITICAL'"
#
# -=[ Default setup values ]=-
#
# Some constructs or individual rules will fail if certain parameters
# are not set in the setup.conf file. The following rules will catch
# these cases and assign sane default values.
#
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
"id:901110,\
phase:1,\
pass,\
nolog,\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:paranoia_level "@eq 0" \
"id:901120,\
phase:1,\
pass,\
nolog,\
setvar:'tx.paranoia_level=1'"
# Default Executing Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:executing_paranoia_level "@eq 0" \
"id:901125,\
phase:1,\
pass,\
nolog,\
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
# Default Sampling Percentage (rule 900400 in setup.conf)
SecRule &TX:sampling_percentage "@eq 0" \
"id:901130,\
phase:1,\
pass,\
nolog,\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in setup.conf)
SecRule &TX:critical_anomaly_score "@eq 0" \
"id:901140,\
phase:1,\
pass,\
nolog,\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
"id:901141,\
phase:1,\
pass,\
nolog,\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
"id:901142,\
phase:1,\
pass,\
nolog,\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
"id:901143,\
phase:1,\
pass,\
nolog,\
setvar:'tx.notice_anomaly_score=2'"
# Default do_reput_block
SecRule &TX:do_reput_block "@eq 0" \
"id:901150,\
phase:1,\
pass,\
nolog,\
setvar:'tx.do_reput_block=0'"
# Default block duration
SecRule &TX:reput_block_duration "@eq 0" \
"id:901152,\
phase:1,\
pass,\
nolog,\
setvar:'tx.reput_block_duration=300'"
# Default HTTP policy: allowed_methods (rule 900200)
SecRule &TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220)
SecRule &TX:allowed_request_content_type "@eq 0" \
"id:901162,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
"id:901168,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
# Default HTTP policy: allowed_http_versions (rule 900230)
SecRule &TX:allowed_http_versions "@eq 0" \
"id:901163,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Default HTTP policy: restricted_extensions (rule 900240)
SecRule &TX:restricted_extensions "@eq 0" \
"id:901164,\
phase:1,\
pass,\
nolog,\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers (rule 900250)
SecRule &TX:restricted_headers "@eq 0" \
"id:901165,\
phase:1,\
pass,\
nolog,\
setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
# Default HTTP policy: static_extensions (rule 900260)
SecRule &TX:static_extensions "@eq 0" \
"id:901166,\
phase:1,\
pass,\
nolog,\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
# Default enforcing of body processor URLENCODED
SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
"id:901167,\
phase:1,\
pass,\
nolog,\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
#
# -=[ Initialize internal variables ]=-
#
# Initialize anomaly scoring variables.
# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
# sql_error_match is used for shortcutting rules for performance reasons.
SecAction \
"id:901200,\
phase:1,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
setvar:'tx.anomaly_score_pl3=0',\
setvar:'tx.anomaly_score_pl4=0',\
setvar:'tx.sql_injection_score=0',\
setvar:'tx.xss_score=0',\
setvar:'tx.rfi_score=0',\
setvar:'tx.lfi_score=0',\
setvar:'tx.rce_score=0',\
setvar:'tx.php_injection_score=0',\
setvar:'tx.http_violation_score=0',\
setvar:'tx.session_fixation_score=0',\
setvar:'tx.inbound_anomaly_score=0',\
setvar:'tx.outbound_anomaly_score=0',\
setvar:'tx.outbound_anomaly_score_pl1=0',\
setvar:'tx.outbound_anomaly_score_pl2=0',\
setvar:'tx.outbound_anomaly_score_pl3=0',\
setvar:'tx.outbound_anomaly_score_pl4=0',\
setvar:'tx.sql_error_match=0'"
#
# -=[ Initialize collections ]=-
#
# Create both Global and IP collections for rules to use.
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
"id:901318,\
phase:1,\
pass,\
t:none,t:sha1,t:hexEncode,\
nolog,\
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
SecAction \
"id:901321,\
phase:1,\
pass,\
t:none,\
nolog,\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
setvar:'tx.real_ip=%{remote_addr}'"
#
# -=[ Initialize Correct Body Processing ]=-
#
# Force request body variable and optionally request body processor
#
# Force body variable
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"id:901340,\
phase:1,\
pass,\
nolog,\
noauditlog,\
msg:'Enabling body inspection',\
tag:'paranoia-level/1',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/3.1.1'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
"id:901350,\
phase:1,\
pass,\
t:none,t:urlDecodeUni,\
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/3.1.1',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
#
# -=[ Easing In / Sampling Percentage ]=-
#
# This is used to send only a limited percentage of requests into the Core
# Rule Set. The selection is based on TX.sampling_percentage and a pseudo
# random number calculated below.
#
# Use this to ease into a new Core Rules installation with an existing
# productive service.
#
# See
# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/
#
#
# Generate the pseudo random number
#
# ATTENTION: This is no cryptographically secure random number. It's just
# a cheap way to get some random number suitable for sampling.
#
# We take the entropy contained in the UNIQUE_ID. We hash that variable and
# take the first integer numbers out of it. Theoretically, it is possible
# there are no integers in a sha1 hash. We make sure we get two
# integer numbers by taking the last two digits from the DURATION counter
# (in microseconds).
# Finally, leading zeros are removed from the two-digit random number.
#
SecRule TX:sampling_percentage "@eq 100" \
"id:901400,\
phase:1,\
pass,\
nolog,\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^." \
"id:901410,\
phase:1,\
pass,\
t:sha1,t:hexEncode,\
nolog,\
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
SecRule DURATION "@rx (..)$" \
"id:901420,\
phase:1,\
pass,\
capture,\
nolog,\
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
"id:901430,\
phase:1,\
pass,\
capture,\
nolog,\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
"id:901440,\
phase:1,\
pass,\
capture,\
nolog,\
setvar:'TX.sampling_rnd100=%{TX.1}'"
#
# Sampling decision
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# being written. If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
#
# SecRuleUpdateActionById 901450 "nolog"
#
SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
"id:901450,\
phase:1,\
pass,\
log,\
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage \
%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.',\
ctl:ruleEngine=Off"
SecMarker "END-SAMPLING"
#
# Configuration Plausibility Checks
#
# Make sure executing paranoia level is not lower than paranoia level
SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
"id:901500,\
phase:1,\
deny,\
status:500,\
t:none,\
log,\
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting.'"

382
confs/owasp-crs/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf Normal file
View File

@ -0,0 +1,382 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default Drupal install.
# The exclusions are only active if crs_exclusions_drupal=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# [ POLICY ]
#
# Drupal is a complex application that is hard to secure with the CRS. This set
# of exclusion rules aims to sanitise the CRS in a way that allows a default
# Drupal setup to be installed and configured without much hassle as far as
# ModSecurity and the CRS are concerned.
#
# The exclusion rules are fairly straight forward in the sense that they
# disable CRS on a set of well-known parameter fields that are often the source
# of false positives / false alarms of the CRS. This includes namely the
# session cookie, the password fields and article/node bodies.
#
# This is based on two assumptions: - You have a basic trust in your
# authenticated users who are allowed to edit nodes. - Drupal allows html
# content in nodes and it protects your users from attacks via these fields.
#
# If you think these assumptions are wrong or if you would prefer a more
# careful/secure approach, you can disable the exclusion rules handling of said
# node body false positives. Do this by placing the following directive in
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
#
# SecRuleRemoveById 9001200-9001299
#
# This will mean the CRS remain intact for the editing of node bodies.
#
# The exclusion rules in this file work without the need to define a Drupal
# installation path prefix. Instead they look at the URI from the end - or
# they use regular expressions when targeting dynamic URL. This is all not
# totally foolproof. In some cases, an advanced attacker might be able to
# doctor a request in a way that one of these exclusion rules is triggered
# and the request will bypass all further inspection despite not being a
# Drupal request at all. These exclusion rules could thus be leveraged to
# disable the CRS completely. This is why these rules are off by default.
#
# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and
# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional
# false positives which you need to handle yourself.
#
# This set of exclusion rules does not cover any additional Drupal modules
# outside of core.
#
# The exclusion rules are based on Drupal 8.1.10.
#
# And finally: This set of exclusion rules is in an experimental state. If you
# encounter false positives with the basic Drupal functionality and they are
# not covered by this rule file, then please report them. The aim is to be able
# to install and run Drupal core in a seamless manner protected by
# ModSecurity / CRS up to the paranoia level 2.
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
"id:9001000,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
# [ Table of Contents ]
#
# 9001100 Session Cookie
# 9001110 Password
# 9001120 FREE for use
# 9001130 FREE for use
# 9001140 Content and Descriptions
# 9001150 FREE for use
# 9001160 Form Token
# 9001170 Text Formats and Editors
# 9001180 WYSIWYG/CKEditor Assets and Upload
# 9001190 FREE for use
# 9001200 Content and Descriptions
#
# The rule id range from 9001200 to 9001999 is reserved for future
# use (Drupal plugins / modules).
# [ Session Cookie ]
#
# Giving the session cookie a dynamic name is most unfortunate
# from a ModSecurity perspective. The rule language does not allow
# us to disable rules in a granular way for individual cookies with
# dynamic names. So we need to disable rule causing false positives
# for all cookies and their names.
#
# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified
#
SecAction "id:9001100,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES"
#
# [ Password ]
#
# Disable the CRS completely for all occurrences of passwords.
#
SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
"id:9001110,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]"
SecRule REQUEST_FILENAME "@endsWith /user/login" \
"id:9001112,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass"
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
"id:9001114,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
"id:9001116,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
#
# [ Admin Settings (general) ]
#
# Disable known false positives for various fields used on admin pages.
#
# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths
# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args)
# Disabled completely for admin/config pages
# For the people/accounts page, we disable the CRS completely for a number of
# freeform text fields.
#
SecRule REQUEST_FILENAME "@contains /admin/config/" \
"id:9001122,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=942430"
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
"id:9001124,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
"id:9001126,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001128,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=942440"
#
#
# [ Content and Descriptions ]
#
# Disable known false positives for field "ids[]".
#
# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected
#
SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
"id:9001140,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:ids[]"
#
# [ Form Token / Build ID ]
#
# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ...
# Rule Exclusion for form_token: 942450 SQL Hex Encoding
# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding
#
# This is applied site-wide.
#
SecAction "id:9001160,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id"
#
# [ Text Formats and Editors ]
#
# Disable the CRS completely for two fields triggering many, many rules
#
# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected
#
SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \
"id:9001170,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]"
#
# [ WYSIWYG/CKEditor Assets and Upload ]
#
# Disable the unnecessary requestBodyAccess and for binary uploads
# bigger than an arbitrary limit of 31486341 bytes.
#
# Extensive checks make sure these uploads are really legitimate.
#
SecRule REQUEST_METHOD "@streq POST" \
"id:9001180,\
phase:1,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
"chain"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
"ctl:requestBodyAccess=Off"
SecRule REQUEST_METHOD "@streq POST" \
"id:9001182,\
phase:1,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
"chain"
SecRule ARGS:destination "@streq admin/content/assets" \
"chain"
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
"chain"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
"ctl:requestBodyAccess=Off"
SecRule REQUEST_METHOD "@streq POST" \
"id:9001184,\
phase:1,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
"chain"
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
"chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
"chain"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
"ctl:requestBodyAccess=Off"
#
# [ Content and Descriptions ]
#
# Disable the CRS completely for node bodies and other free text fields.
# Other rules are disabled individually.
#
# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack
# Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj.
#
SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
"id:9001200,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
"id:9001202,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
"id:9001204,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ctl:ruleRemoveTargetById=932110;ARGS:destination"
SecRule REQUEST_FILENAME "@endsWith /block/add" \
"id:9001206,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]"
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
"id:9001208,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:description"
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
"id:9001210,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:value"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
"id:9001212,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001214,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message"
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
"id:9001216,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description"
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"

639
confs/owasp-crs/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf Normal file
View File

@ -0,0 +1,639 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default WordPress install.
# The exclusions are only active if crs_exclusions_wordpress=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note that the WordPress comment field itself is currently NOT excluded
# from checking. The reason is that malicious content is regularly being
# posted to WordPress comment forms, and there have been various cases
# of XSS and even RCE vulnerabilities exploited by WordPress comments.
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002000,\
phase:1,\
pass,\
t:none,\
nolog,\
skipAfter:END-WORDPRESS"
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
"id:9002001,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-WORDPRESS"
#
# -=[ WordPress Front-End ]=-
#
#
# [ Login form ]
#
# User login password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:9002100,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
# Reset password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:9002120,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
#
# [ Comments ]
#
# Post comment
SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
"id:9002130,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url"
#
# [ Live preview ]
# Used when an administrator customizes the site and previews the result
# as a normal user.
#
# Theme select
# Example: wp_customize=on&theme=twentyfifteen&customized=
# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[],
# "sidebar-1":["search-2","recent-posts-2","recent-comments-2",
# "archives-2","categories-2","meta-2"]}}&nonce=XXX&
# customize_messenger_channel=preview-0
SecRule ARGS:wp_customize "@streq on" \
"id:9002150,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule &ARGS:action "@eq 0" \
"t:none,\
ctl:ruleRemoveTargetById=942200;ARGS:customized,\
ctl:ruleRemoveTargetById=942260;ARGS:customized,\
ctl:ruleRemoveTargetById=942300;ARGS:customized,\
ctl:ruleRemoveTargetById=942330;ARGS:customized,\
ctl:ruleRemoveTargetById=942340;ARGS:customized,\
ctl:ruleRemoveTargetById=942370;ARGS:customized,\
ctl:ruleRemoveTargetById=942430;ARGS:customized,\
ctl:ruleRemoveTargetById=942431;ARGS:customized,\
ctl:ruleRemoveTargetById=942460;ARGS:customized"
# Appearance -> Widgets -> Live Preview
SecRule ARGS:wp_customize "@streq on" \
"id:9002160,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942200;ARGS:customized,\
ctl:ruleRemoveTargetById=942260;ARGS:customized,\
ctl:ruleRemoveTargetById=942300;ARGS:customized,\
ctl:ruleRemoveTargetById=942330;ARGS:customized,\
ctl:ruleRemoveTargetById=942340;ARGS:customized,\
ctl:ruleRemoveTargetById=942370;ARGS:customized,\
ctl:ruleRemoveTargetById=942430;ARGS:customized,\
ctl:ruleRemoveTargetById=942431;ARGS:customized,\
ctl:ruleRemoveTargetById=942460;ARGS:customized,\
ctl:ruleRemoveTargetById=920230;ARGS:partials,\
ctl:ruleRemoveTargetById=941320;ARGS:partials,\
ctl:ruleRemoveTargetById=942180;ARGS:partials,\
ctl:ruleRemoveTargetById=942200;ARGS:partials,\
ctl:ruleRemoveTargetById=942260;ARGS:partials,\
ctl:ruleRemoveTargetById=942330;ARGS:partials,\
ctl:ruleRemoveTargetById=942340;ARGS:partials,\
ctl:ruleRemoveTargetById=942370;ARGS:partials,\
ctl:ruleRemoveTargetById=942430;ARGS:partials,\
ctl:ruleRemoveTargetById=942431;ARGS:partials,\
ctl:ruleRemoveTargetById=942460;ARGS:partials"
# Self calls to wp-cron.php?doing_wp_cron=[timestamp]
# These requests may be missing Accept, Content-Length headers.
# This rule must run in phase:1.
SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
"id:9002200,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920180,\
ctl:ruleRemoveById=920300"
#
# [ Cookies ]
# WP Session Manager
# Cookie: _wp_session=[hex]||[timestamp]||[timestamp]
# detected SQLi using libinjection with fingerprint 'n&1'
SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
"id:9002300,\
phase:1,\
pass,\
t:none,\
nolog,\
chain"
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session"
#
# -=[ WordPress Administration Back-End (wp-admin) ]=-
#
# Skip this section for performance unless /wp-admin/ is in filename
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
"id:9002400,\
phase:1,\
pass,\
t:none,\
nolog,\
skipAfter:END-WORDPRESS-ADMIN"
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
"id:9002401,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-WORDPRESS-ADMIN"
#
# [ Installation ]
#
# WordPress installation: exclude database password
SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
"id:9002410,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
chain"
SecRule &ARGS:step "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
# WordPress installation: exclude admin password
SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
"id:9002420,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
chain"
SecRule &ARGS:step "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password2,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text"
#
# [ User management ]
#
# Edit logged-in user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
"id:9002520,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
ctl:ruleRemoveTargetById=931130;ARGS:googleplus,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
# Edit user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
"id:9002530,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
# Create user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
"id:9002540,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq createuser" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
#
# [ General exclusions ]
#
# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
SecAction \
"id:9002600,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer"
#
# [ Content editing ]
#
# Edit posts and pages
# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp]
# - Themes do not properly escape post_title in HTML, so beware of XSS
# and be conservative in excluding this parameter.
# - Parameter _wp_http_referer can appear multiple times.
SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
"id:9002700,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\
ctl:ruleRemoveById=920272,\
ctl:ruleRemoveById=921180"
# Autosave posts and pages
# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002710,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq heartbeat" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:data[wp_autosave][content],\
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\
ctl:ruleRemoveById=921180,\
ctl:ruleRemoveById=920272"
# Edit menus
SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
"id:9002720,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\
ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data"
# Edit text widgets (can contain custom HTML)
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002730,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[0][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[1][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[2][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[3][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[4][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[5][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[6][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[7][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[8][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[9][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[10][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[11][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[12][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[13][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[14][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[15][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[16][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[17][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[18][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[19][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[20][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[21][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[22][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[23][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[24][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[25][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[26][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[27][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[28][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[29][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[30][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[31][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[32][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[33][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[34][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[35][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[36][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[37][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[38][text],\
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[39][text]"
# Reorder widgets
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002740,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq widgets-order" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]"
# Create permalink sample for new post
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002750,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq sample-permalink" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title"
# Add external link to menu
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002760,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq add-menu-item" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]"
# Editor: Add Media, Insert Media, Insert into page
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
"id:9002770,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq send-attachment-to-editor" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:html"
#
# [ Options and Settings ]
#
# Change site URL
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
"id:9002800,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:option_page "@streq general" \
"t:none,\
chain"
SecRule &ARGS:option_page "@eq 1" \
"t:none,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=931130;ARGS:home,\
ctl:ruleRemoveTargetById=931130;ARGS:siteurl"
# Permalink settings
# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
"id:9002810,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=920230;ARGS:selection,\
ctl:ruleRemoveTargetById=920272;ARGS:selection,\
ctl:ruleRemoveTargetById=942431;ARGS:selection,\
ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;REQUEST_BODY"
# Comments blacklist and moderation list
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
"id:9002820,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:option_page "@streq discussion" \
"t:none,\
chain"
SecRule &ARGS:option_page "@eq 1" \
"t:none,\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:blacklist_keys,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:moderation_keys"
#
# [ Helpers ]
#
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,
# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D=
# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget,
# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1
#
# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,
# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard,
# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D=
# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1
#
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer,
# wp-ajax-response,jquery-color,wp-lists,quicktags,
# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core,
# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,
# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,
# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,
# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e
SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
"id:9002900,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=921180,\
ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\
ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\
ctl:ruleRemoveTargetById=942360;ARGS:load[],\
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
ctl:ruleRemoveTargetById=942432;ARGS:load[]"
SecMarker "END-WORDPRESS-ADMIN"
SecMarker "END-WORDPRESS"

355
confs/owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf Normal file
View File

@ -0,0 +1,355 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
#
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default NextCloud install.
# They will likely work with OwnCloud too, but you may have to modify them.
# The exclusions are only active if crs_exclusions_nextcloud=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# To relax upload restrictions for only the php files that need it,
# you put something like this in crs-setup.conf:
#
# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \
# "id:9003330,\
# phase:1,\
# t:none,\
# nolog,\
# pass,\
# tx.restricted_extensions='.bak/ .config/ .conf/'"
#
# Large uploads can be modified with SecRequestBodyLimit. Or they
# can be more controlled by using the following:
#
# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \
# "id:9003610,\
# phase:1,\
# t:none,\
# nolog,\
# ctl:requestBodyLimit=1073741824"
#
# ---------------------
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
"id:9003000,\
phase:1,\
pass,\
t:none,\
nolog,\
skipAfter:END-NEXTCLOUD"
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
"id:9003001,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-NEXTCLOUD"
#
# [ File Manager ]
#
#
# The web interface uploads files, and interacts with the user.
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"id:9003100,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php,\
ctl:ruleRemoveById=941000-942999,\
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920420,\
ctl:ruleRemoveById=920440"
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
SecRule REQUEST_METHOD "@streq PUT" \
"id:9003105,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"t:none,\
ctl:ruleRemoveById=920000-920999,\
ctl:ruleRemoveById=932000-932999,\
ctl:ruleRemoveById=921150,\
ctl:ruleRemoveById=930110,\
ctl:ruleRemoveById=930120"
# Allow the data type 'text/vcard'
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
"id:9003110,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
# Allow the data type 'application/octet-stream'
SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
"id:9003115,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"
# Allow data types like video/mp4
SecRule REQUEST_METHOD "@streq PUT" \
"id:9003116,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
"ctl:ruleRemoveById=920340,\
ctl:ruleRemoveById=920420"
# Allow characters like /../ in files.
# Allow all kind of filetypes.
# Allow source code.
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
"id:9003120,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=930100-930110,\
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920440"
# [ Searchengine ]
#
# NexCloud uses a search field for filename or content queries.
SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
"id:9003125,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
ctl:ruleRemoveTargetById=932000-932999;ARGS:query"
# [ DAV ]
#
# NextCloud uses DAV methods with index.php and remote.php to do many things
# The default ones in ModSecurity are: GET HEAD POST OPTIONS
#
# Looking through the code, and via testing, I found these:
#
# File manager: PUT DELETE MOVE PROPFIND PROPPATCH
# Calendars: REPORT
# Others in the code or js files: PATCH MKCOL MOVE TRACE
# Others that I added just in case, and they seem related:
# CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK.
SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
"id:9003130,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
# We need to allow DAV methods for sharing files, and removing shares
# DELETE - when the share is removed
# PUT - when setting a password / expiration time
SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
"id:9003140,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
# [ Preview and Thumbnails ]
SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
"id:9003150,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file"
# Filepreview for trashbin
SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \
"id:9003155,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ctl:ruleRemoveTargetById=942190;ARGS:file"
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
"id:9003160,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken"
# [ Ownnote ]
SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
"id:9003300,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=941150"
# [ Text Editor ]
#
# This file can save anything, and it's name could be lots of things.
SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
"id:9003310,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:filecontents,\
ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE"
# [ Address Book ]
#
# Allow the data type 'text/vcard'
SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
"id:9003320,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
# [ Calendar ]
#
# Allow the data type 'text/calendar'
SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
"id:9003330,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/calendar'"
# [ Notes ]
#
# We want to allow a lot of things as the user is
# allowed to note on anything.
SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
"id:9003340,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php"
# [ Bookmarks ]
#
# Allow urls in data.
SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
"id:9003350,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=931130"
#
# [ Login forms ]
#
# This removes checks on the 'password' and related fields:
# User login password.
SecRule REQUEST_FILENAME "@contains /index.php/login" \
"id:9003400,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
# Reset password.
SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
"id:9003410,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
chain"
SecRule &ARGS:action "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
# Change Password and Setting up a new user/password
SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
"id:9003500,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
SecMarker "END-NEXTCLOUD-ADMIN"
SecMarker "END-NEXTCLOUD"

261
confs/owasp-crs/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf Normal file
View File

@ -0,0 +1,261 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
#
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default Dokuwiki install.
# The exclusions are only active if crs_exclusions_dokuwiki=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note, if you want to relax the upload restrictions,
# see rule 900240. For Dokuwiki you can limit the exception
# to the ajax.php file:
#
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ...
#
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
"id:9004000,\
phase:1,\
pass,\
t:none,\
nolog,\
skipAfter:END-DOKUWIKI"
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
"id:9004001,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-DOKUWIKI"
#
# -=[ Dokuwiki Front-End ]=-
#
# Note on files specified:
# /doku.php: shows pages, saves, edits, admin
# /lib/exe/ajax.php: autosave, uploads
#
# Allow pages to be edited, and ajax to save drafts.
#
# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things,
# as the page (in part or whole) is passed via 'suffix/prefix' at times.
# attack-protocol (921110-921160/920230): Allows odd characters on the page.
# CRS: (still need attack-protocol specified.)
# attack-injection-php (930000-933999): Allows code on page.
# attack-sqli (940000-942999): Allows SQL expressions on page.
#
# Others:
# 930100-930110;REQUEST_BODY: if there's a /../ in the text.
#
# ARGS:summary (the text in the 'summary' box on page edits.):
# Allowing 930120-930130 lets user save summaries with
# system file names. This should not be needed in normal
# use. But leaving a note here of how to allow in rule below:
# ctl:ruleRemoveTargetById=930120;ARGS:summary
# ctl:ruleRemoveTargetById=930130;ARGS:summary
#
# Also, can't specify:
# SecRule ARGS:do "@streq edit" \
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
# because at times the do=edit can get dropped, so if we use
# above the edit will get blocked when the page is saved.
# Hint: those using .htaccess rewrites can remove/replace
# this first 'SecRule...' line with 'SecAction \' (unsupported).
SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
"id:9004100,\
phase:2,\
pass,\
t:none,\
nolog,\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:wikitext,\
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:suffix,\
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:prefix,\
ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY"
# Allow it to upload files. But check for cookies just to make sure.
SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
"id:9004110,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"
# Show the index, even if things like "postgresql" or other things show up.
SecRule REQUEST_FILENAME "@endsWith /doku.php"\
"id:9004130,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule ARGS:do "@streq index" \
"t:none,\
chain"
SecRule &ARGS:do "@eq 1" \
"t:none,\
ctl:ruleRemoveById=951240,\
ctl:ruleRemoveById=953110"
#
# [ Login form ]
#
# Turn off checks for password.
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004200,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
chain"
SecRule &ARGS:do "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:p"
#
# [ Admin Area ]
#
# Skip this section for performance unless do=admin is in request
SecRule ARGS:do "!@streq admin" \
"id:9004300,\
phase:1,\
pass,\
t:none,\
nolog,\
skipAfter:END-DOKUWIKI-ADMIN"
SecRule ARGS:do "!@streq admin" \
"id:9004310,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-DOKUWIKI-ADMIN"
# [ Reset password ]
#
# Turn off checks for pass1, pass1-text, pass2
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004320,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
chain"
SecRule &ARGS:do "@eq 1" \
"t:none,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
# [ Save config ]
#
# Allow the config to be saved:
# 942200: If the user adds "..." to tagline: ARGS:config[tagline]
# 942430: if ARGS:config[hidepages] has pages looking like sql statements
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004370,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
chain"
SecRule &ARGS:page "@eq 1" \
"t:none,\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\
ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\
ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\
ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]"
# When the config loads after a save, it gets blocked because
# it has 'readdir' and lines that look like sql
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
# 951240,953110: When the page reloads, it triggers
# postgress and php code disclosure rules.
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
"id:9004380,\
phase:2,\
pass,\
t:none,\
nolog,\
noauditlog,\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
chain"
SecRule &ARGS:page "@eq 1" \
"t:none,\
chain"
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
"t:none,\
ctl:ruleRemoveById=951240,\
ctl:ruleRemoveById=953110"
# End [ Admin Area ]
SecMarker "END-DOKUWIKI-ADMIN"
SecMarker "END-DOKUWIKI"

60
confs/owasp-crs/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf Normal file
View File

@ -0,0 +1,60 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# These exclusions remedy false positives in a default cPanel environment.
# The exclusions are only active if crs_exclusions_cpanel=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
"id:9005000,\
phase:1,\
pass,\
t:none,\
nolog,\
skipAfter:END-CPANEL"
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
"id:9005001,\
phase:2,\
pass,\
t:none,\
nolog,\
skipAfter:END-CPANEL"
#
# [ cPanel whm-server-status ]
#
# Cpanel's WHM auto generates requests to /whm-server-status from
# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes.
# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins).
#
#
# Rule to allow cPanel whm-server-status requests from localhost without log entry.
#
SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \
"id:9005100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
ctl:ruleRemoveById=920280,\
ctl:ruleRemoveById=920350"
SecMarker "END-CPANEL"

52
confs/owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf Normal file
View File

@ -0,0 +1,52 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# This file is used as an exception mechanism to remove common false positives
# that may be encountered.
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "@streq GET /" \
"id:905100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
ctl:ruleEngine=Off,\
ctl:auditEngine=Off"
#
# Exception for Apache internal dummy connection
#
SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
"id:905110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*\(internal dummy connection\)$" \
"t:none,\
ctl:ruleEngine=Off,\
ctl:auditEngine=Off"

311
confs/owasp-crs/REQUEST-910-IP-REPUTATION.conf Normal file
View File

@ -0,0 +1,311 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ IP Reputation Block Flag Check ]=-
#
# The first check we do is to see if the client IP address has already
# been blacklisted by rules from previous requests.
#
# If the rule matches, it will do a skipAfter and pick up processing
# at the end of the request phase for actual blocking.
#
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
"id:910000,\
phase:2,\
block,\
t:none,\
msg:'Request from Known Malicious Client (Based on previous traffic violations).',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
setvar:'tx.msg=%{rule.msg}',\
severity:'CRITICAL',\
chain,\
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
"id:910100,\
phase:2,\
block,\
t:none,\
msg:'Client IP is from a HIGH Risk Country Location.',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
severity:'CRITICAL',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
"chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
#
# -=[ IP Reputation Checks ]=-
#
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
# Ref: http://www.modsecurity.org/projects/commercial/rules/
#
# This rule checks the client IP address against a list of recent IPs captured
# from the SpiderLabs web honeypot systems (last 48 hours).
#
#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \
# "id:910110,\
# phase:2,\
# block,\
# t:none,\
# msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\
# tag:'application-multi',\
# tag:'language-multi',\
# tag:'platform-multi',\
# tag:'attack-reputation-ip',\
# severity:'CRITICAL',\
# setvar:'tx.msg=%{rule.msg}',\
# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
# setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
# setvar:'ip.reput_block_flag=1',\
# setvar:'ip.reput_block_reason=%{rule.msg}',\
# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
#
# First check if we have already run an @rbl check for this IP by checking in IP collection.
# If we have, then skip doing another check.
#
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
"id:910120,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
skipAfter:END-RBL-LOOKUP"
#
# Check Client IP against ProjectHoneypot's HTTP Blacklist
# Ref: http://www.projecthoneypot.org/httpbl_api.php
#
# To use the blacklist, you must register for an HttpBL API Key
# and choose the traffic types to block. See section
# "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#
# Skip HttpBL checks if user has not defined one of the TX:block_* variables.
# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"
SecRule &TX:block_suspicious_ip "@eq 0" \
"id:910130,\
phase:2,\
pass,\
t:none,\
nolog,\
chain,\
skipAfter:END-RBL-CHECK"
SecRule &TX:block_harvester_ip "@eq 0" \
"chain"
SecRule &TX:block_spammer_ip "@eq 0" \
"chain"
SecRule &TX:block_search_ip "@eq 0"
SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
"id:910140,\
phase:2,\
pass,\
capture,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
setvar:'tx.httpbl_msg=%{tx.0}',\
chain"
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
"capture,\
t:none,\
setvar:'tx.httpbl_msg=%{tx.1}'"
# The following regexs are generated based off re_operators.c
SecRule TX:block_search_ip "@eq 1" \
"id:910150,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for search engine IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx Search Engine" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecRule TX:block_spammer_ip "@eq 1" \
"id:910160,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for spammer IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecRule TX:block_suspicious_ip "@eq 1" \
"id:910170,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for suspicious IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecRule TX:block_harvester_ip "@eq 1" \
"id:910180,\
phase:2,\
block,\
t:none,\
msg:'HTTP Blacklist match for harvester IP',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
expirevar:'ip.previous_rbl_check=86400'"
SecAction \
"id:910190,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.previous_rbl_check=86400'"
SecMarker "END-RBL-LOOKUP"
SecMarker "END-RBL-CHECK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-910-IP-REPUTATION"

78
confs/owasp-crs/REQUEST-911-METHOD-ENFORCEMENT.conf Normal file
View File

@ -0,0 +1,78 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Allowed Request Methods ]=-
#
# tx.allowed_methods is defined in the crs-setup.conf file
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
"id:911100,\
phase:2,\
block,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
tag:'WASCTC/WASC-15',\
tag:'OWASP_TOP_10/A6',\
tag:'OWASP_AppSensor/RE1',\
tag:'PCI/12.1',\
severity:'CRITICAL',\
ver:'OWASP_CRS/3.1.1',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT"

297
confs/owasp-crs/REQUEST-912-DOS-PROTECTION.conf Normal file
View File

@ -0,0 +1,297 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# Anti-Automation rules to detect Denial of Service attacks.
#
# Description of mechanics:
# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP
# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit
# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the
# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period
# (TX:DOS_BURST_TIME_SLICE).
# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag
# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout
# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5.
# There is a stricter sibling to this rule (912170) in paranoia level 2, where the
# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1.
#
# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK),
# then the request is dropped without sending a response. If this happens, then a
# counter is # raised (IP:DOS_BLOCK_COUNTER).
# When an IP address is blocked for the first time, then the blocking is reported in a
# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds.
# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the
# blocking is not being reported (to prevent a flood of alerts). When the flag
# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the
# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated
# as the first block (-> alert).
# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting
# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different
# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn.
#
# Variables:
# IP:DOS_BLOCK Flag if an IP address should be blocked
# IP:DOS_BLOCK_COUNTER Counter of blocked requests
# IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds.
# IP:DOS_BURST_COUNTER Burst counter
# IP:DOS_COUNTER Request counter (static resources are ignored)
# TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons)
# TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked
# TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified
# TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst
# TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS
#
# As a precondition for these rules, please set the following three variables:
# - TX:DOS_BLOCK_TIMEOUT
# - TX:DOS_COUNTER_THRESHOLD
# - TX:DOS_BURST_TIME_SLICE
#
# And make sure that TX:STATIC_EXTENSIONS is also set.
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
#
# Skip if variables defining DoS protection are not set
#
SecRule &TX:dos_burst_time_slice "@eq 0" \
"id:912100,\
phase:1,\
pass,\
t:none,\
nolog,\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
"chain"
SecRule &TX:dos_block_timeout "@eq 0"
SecRule &TX:dos_burst_time_slice "@eq 0" \
"id:912110,\
phase:5,\
pass,\
t:none,\
nolog,\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
"chain"
SecRule &TX:dos_block_timeout "@eq 0"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Anti-Automation / DoS Protection : Block ]=-
#
#
# Block and track # of requests and log
#
SecRule IP:DOS_BLOCK "@eq 1" \
"id:912120,\
phase:1,\
drop,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
chain"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
"setvar:'ip.dos_block_counter=+1',\
setvar:'ip.dos_block_flag=1',\
setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\
setvar:'ip.dos_block_counter=0',\
expirevar:'ip.dos_block_flag=60'"
#
# Block and track # of requests but don't log
#
SecRule IP:DOS_BLOCK "@eq 1" \
"id:912130,\
phase:1,\
drop,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
setvar:'ip.dos_block_counter=+1'"
#
# -=[ Anti-Automation / DoS Protection: Count requests ]=-
#
#
# Skip if we have blocked the request
#
SecRule IP:DOS_BLOCK "@eq 1" \
"id:912140,\
phase:5,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
skipAfter:END-DOS-PROTECTION-CHECKS"
#
# DOS Counter: Count the number of requests to non-static resources
#
SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
"id:912150,\
phase:5,\
pass,\
capture,\
t:none,t:lowercase,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
setvar:'tx.extension=/%{TX.1}/',\
chain"
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
"setvar:'ip.dos_counter=+1'"
#
# Check DOS Counter
# If the request count is greater than or equal to user settings,
# we raise the burst counter. This happens via two separate rules:
# - 912160: raise from 0 to 1
# - 912161: raise from 1 to 2
#
# This approach with two rules avoids raising the burst counter
# from 0 to 2 via two concurrent requests. We do not raise the
# burst counter beyond 2.
#
#
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
"id:912160,\
phase:5,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
"setvar:'ip.dos_burst_counter=1',\
setvar:'!ip.dos_counter',\
expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
"id:912161,\
phase:5,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
"setvar:'ip.dos_burst_counter=2',\
setvar:'!ip.dos_counter',\
expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"
#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for a given expiry and issue an alert.
#
SecRule IP:DOS_BURST_COUNTER "@ge 2" \
"id:912170,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 1, then we set the IP
# block variable for a given expiry and issue an alert.
#
# This is a stricter sibling of rule 912170.
#
SecRule IP:DOS_BURST_COUNTER "@ge 1" \
"id:912171,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-dos',\
tag:'paranoia-level/2',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-912-DOS-PROTECTION"
SecMarker "END-DOS-PROTECTION-CHECKS"

210
confs/owasp-crs/REQUEST-913-SCANNER-DETECTION.conf Normal file
View File

@ -0,0 +1,210 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Vulnerability Scanner Checks ]=-
#
# These rules inspect the default User-Agent and Header values sent by
# various commercial and open source vuln scanners.
#
# The following rules contain User-Agent lists:
# 913100 - security scanners (data file scanners-user-agents.data)
# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found User-Agent associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
"id:913110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found request header associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
"id:913120,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found request filename/argument associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ Scripting/Generic User-Agents ]=-
#
# This rule detects user-agents associated with various HTTP client libraries
# and scripting languages. Detection suggests attempted access by some
# automated tool.
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
"id:913101,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found User-Agent associated with scripting/generic HTTP client',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scripting',\
tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
#
# -=[ Crawler User-Agents ]=-
#
# This rule detects user-agents associated with various crawlers, SEO tools,
# and bots, which have been reported to potentially misbehave.
# These crawlers can have legitimate uses when used with authorization.
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
"id:913102,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Found User-Agent associated with web crawler/bot',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-crawler',\
tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-913-SCANNER-DETECTION"

1549
confs/owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Normal file
View File

File diff suppressed because it is too large Load Diff

297
confs/owasp-crs/REQUEST-921-PROTOCOL-ATTACK.conf Normal file
View File

@ -0,0 +1,297 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name.
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
# tests carried out on the primary request.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
#
SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" \
"id:921110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Request Smuggling Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ HTTP Response Splitting ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" \
"id:921120,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
msg:'HTTP Response Splitting Attack',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"id:921130,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
msg:'HTTP Response Splitting Attack',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ HTTP Header Injection ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
# on their own or in combination with header field names.
# These characters may cause problems if the data is returned in a respones header
# and interpreted by the client.
# The rules are similar to rules defending against the HTTP Request Splitting and
# Request Smuggling rules.
#
# [ References ]
# https://en.wikipedia.org/wiki/HTTP_header_injection
#
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
"id:921140,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Header Injection Attack via headers',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
# Detect newlines in argument names.
# Checking for GET arguments has been moved to paranoia level 2 (921151)
# in order to mitigate possible false positives.
#
SecRule ARGS_NAMES "@rx [\n\r]" \
"id:921150,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
"id:921160,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
# Detect newlines in GET argument values.
# These may point to a HTTP header injection attack, but can also sometimes
# occur in benign query parameters.
#
# See also: rule 921140, 921150
#
SecRule ARGS_GET "@rx [\n\r]" \
"id:921151,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
#
# -=[ HTTP Parameter Polution ]=-
#
# [ Rule Logic ]
# These rules look for multiple parameters with the same name.
# 921170 counts the occurrences of the individual parameters.
# 921180 checks if any counter is > 1.
#
# One HPP attack vector is to try evade signature filters by distributing the
# attack payload across multiple parameters with the same name.
# This works as many security devices only apply signatures to individual
# parameter payloads, however the back-end web application may (in the case
# of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# [ References ]
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
# https://capec.mitre.org/data/definitions/460.html
#
SecRule ARGS_NAMES "@rx ." \
"id:921170,\
phase:2,\
pass,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'CAPEC-460',\
ver:'OWASP_CRS/3.1.1',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
"id:921180,\
phase:2,\
pass,\
msg:'HTTP Parameter Pollution (%{TX.1})',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'CAPEC-460',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"

159
confs/owasp-crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf Normal file
View File

@ -0,0 +1,159 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \
"id:930100,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Path Traversal Attack (/../)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
#
# [ Decoded /../ Payloads ]
#
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \
"id:930110,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
msg:'Path Traversal Attack (/../)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
#
# -=[ OS File Access ]=-
#
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \
"id:930120,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
msg:'OS File Access Attempt',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
tag:'WASCTC/WASC-33',\
tag:'OWASP_TOP_10/A4',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ Restricted File Access ]=-
#
# Detects attempts to retrieve application source code, metadata,
# credentials and version control history possibly reachable in a web root.
#
SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
"id:930130,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
msg:'Restricted File Access Attempt',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
tag:'WASCTC/WASC-33',\
tag:'OWASP_TOP_10/A4',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"

153
confs/owasp-crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf Normal file
View File

@ -0,0 +1,153 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# RFI Attacks
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
# - URL Contains an IP Address
# - The PHP "include()" Function
# - RFI Data Ends with Question Mark(s) (?)
# - RFI Host Doesn't Match Local Host
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
#
SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
"id:931100,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
"id:931110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
"id:931120,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
"id:931130,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\
chain"
SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.1}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI"

703
confs/owasp-crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf Normal file
View File

File diff suppressed because one or more lines are too long

671
confs/owasp-crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf Normal file
View File

@ -0,0 +1,671 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ PHP Injection Attacks ]=-
#
# [ References ]
# http://rips-scanner.sourceforge.net/
# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh
#
#
# [ PHP Open Tag Found ]
#
# Detects PHP open tags "<?" and "<?php".
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
#
# Care is taken to avoid false positives in XML declarations "<?xml..."
#
# Also detects "[php]", "[/php]" and "[\php]" tags used by some applications
# to indicate PHP dynamic content.
#
# Previously, this rule also checked for the PHP close tag '?>', but
# this resulted in false positives which were difficult to prevent.
# Therefore, that pattern is now checked by rule 933190 in paranoia levels
# 3 or higher.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \
"id:933100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'PHP Injection Attack: PHP Open Tag Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Script Uploads ]
#
# Block file uploads with filenames ending in PHP related extensions
# (.php, .phps, .phtml, .php5 etc).
#
# Many application contain Unrestricted File Upload vulnerabilities.
# https://www.owasp.org/index.php/Unrestricted_File_Upload
#
# Attackers may use such a vulnerability to achieve remote code execution
# by uploading a .php file. If the upload storage location is predictable
# and not adequately protected, the attacker may then request the uploaded
# .php file and have the code within it executed on the server.
#
# Also block files with just dot (.) characters after the extension:
# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
"id:933110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: PHP Script File Upload Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Configuration Directives ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
"id:933120,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
msg:'PHP Injection Attack: Configuration Directive Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm =" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Variables ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
"id:933130,\
phase:2,\
block,\
capture,\
t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\
msg:'PHP Injection Attack: Variables Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP I/O Streams ]
#
# The "php://" syntax can be used to refer to various objects, such as local files (for LFI),
# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt
# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app.
#
# Examples:
# php://filter/resource=./../../../wp-config.php
# php://filter/resource=http://www.example.com
# php://stdin
# php://input
#
# http://php.net/manual/en/wrappers.php.php
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
"id:933140,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: I/O Stream Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Functions ]
#
# Detecting PHP function names is useful to block PHP code injection attacks.
# There are many PHP functions. We have to strike a balance between robust detection
# of PHP code in content, and the risk of false positives.
#
# The list of PHP functions is divided into four groups of varying attack/false positive risk.
# Four separate rules are used to detect these groups of functions:
#
# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
# natural language or other contexts.
# Examples: 'base64_decode', 'file_get_contents'.
# These words are detected as a match directly using @pmf.
# Function names are defined in php-function-names-933150.data
#
# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
# false positives in natural language or other contexts.
# Examples: 'chr', 'eval'.
# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data
#
# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
# Examples: 'addslashes', 'array_diff'.
# For performance reasons, the @pmf operator is used, and many functions from lesser
# used PHP extensions are removed.
# To mitigate false positives, we only match when the '(' character is also found.
# This rule only runs in paranoia level 2 or higher.
# Function names are defined in php-function-names-933151.data
#
# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
# Examples: 'abs', 'cos'.
# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
# This rule only runs in paranoia level 3 or higher.
# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data
#
#
# [ PHP Functions: High-Risk PHP Function Names ]
#
# Rule 933150 contains a small list of function names which are highly indicative of a PHP
# injection attack, for example 'base64_decode'.
# We block these function names outright, without using a complex regexp or chain.
# This could make the detection a bit more robust against possible bypasses.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933150.data" \
"id:933150,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Functions: High-Risk PHP Function Calls ]
#
# Some PHP function names have a certain risk of false positives, due to short
# names, full or partial overlap with common natural language terms, uses in
# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'.
#
# For these function names, we apply a regexp to look for PHP function syntax.
# The regexp looks for a word boundary and adjoining parentheses.
# For instance, we want to block 'eval()', but we want to allow 'medieval()'.
#
# We have to be careful of possible bypasses using comment syntax. Examples:
#
# system(...)
# system (...)
# system\t(...)
# system /*comment*/ (...)
# system /*multiline \n comment*/ (...)
# system //comment \n (...)
# system #comment \n (...)
#
# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
"id:933160,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Object Injection ]
#
# PHP Object Injection is an application level vulnerability that could allow
# an attacker to perform different kinds of malicious attacks, such as
# Code Injection, SQL Injection, Path Traversal and Application Denial of Service,
# depending on the context.
#
# The vulnerability occurs when user-supplied input is not properly sanitized
# before being passed to the unserialize() PHP function. Since PHP allows object
# serialization, attackers could pass ad-hoc serialized strings to a vulnerable
# unserialize() call, resulting in an arbitrary PHP object(s) injection into the
# application scope.
#
# https://www.owasp.org/index.php/PHP_Object_Injection
#
# In serialized form, PHP objects have the following format:
#
# O:8:"stdClass":1:{s:1:"a";i:2;}
# O:3:"Foo":0:{}
#
# Also detected are PHP objects with a custom unserializer:
# http://www.phpinternalsbook.com/classes_objects/serialization.html
# These have the following format:
#
# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}}
# C:3:"Foo":23:{s:15:"My private data";}
#
# HTTP headers are inspected, since PHP object injection vulnerabilities have been
# found in applications parsing them:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header)
# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header)
# http://karmainsecurity.com/KIS-2015-10 (Host header)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
"id:933170,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: Serialized Object Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Functions: Variable Function Calls ]
#
# PHP 'variable functions' provide an alternate syntax for calling PHP functions.
# http://php.net/manual/en/functions.variable-functions.php
#
# An attacker may use variable function syntax to evade detection of function
# names during exploitation of a remote code execution vulnerability.
# An example to use the 'file_get_contents' function while evading rule 933150:
#
# $fn = 'file_' . 'get_' . 'contents';
# echo $fn('wp-co' . 'nfig.php');
#
# Some examples from obfuscated malware:
#
# $OOO0000O0(...)
# @$b374k(...)
# $_[@-_]($_[@!+_] )
#
# A breakdown of the regular expression:
#
# \$+
# The variable's '$' char, or multiple '$' for 'variable variables':
# http://php.net/manual/en/language.variables.variable.php
# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})
# One of the following:
# - A variable name; regexp from http://php.net/language.variables.basics
# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'}
# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*
# Optional whitespace, array access, or comments
# \(.*\)
# Parentheses optionally containing function parameters
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
"id:933180,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: Variable Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# [ PHP Functions: Medium-Risk PHP Function Names ]
#
# In paranoia level 2, we add additional checks for most PHP functions.
#
# The size of the PHP function list is considerable.
# Even after excluding the more obscure PHP extensions, 1300+ functions remain.
# For performance and maintenance reasons, this rule does not use a regexp,
# but uses a phrase file (@pmf), and additionally looks for an '(' character
# in the matched variable.
#
# This approach carries some risk for false positives. Therefore, the function list
# has been curated to remove words closely matching natural language and terms often
# used in other contexts.
#
# This rule is a stricter sibling of rule 933150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933151.data" \
"id:933151,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm (" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
#
# [ PHP Variables: Common Variable Indexes ]
#
# In paranoia level 3, we add additional checks for parameters to many PHP variables.
#
#
# One of the more common variables used within attacks on PHP is $_SERVER. Because
# of how many different ways PHP has for executing variables (variable variables,
# etc) often just looking for $_SERVER will be less effective than looking for the
# various indexes within $_SERVER. This rule checks for these indexes.
# This rule is located in PL 3 because often developers will use these names as
# parameter names or values and this will lead to false positives.
# Because this list is not expected to change and it is limited in size we use a
# regex in this case to look for these values whereas in its sibling rule we use
# @pmf for flexibility and performance.
#
# To rebuild the regexp:
# cd util/regexp-assemble
# ./regexp-assemble.pl < regexp-933131.data
#
# This rule is a stricter sibling of rule 933130.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \
"id:933131,\
phase:2,\
block,\
capture,\
t:none,t:normalisePath,t:urlDecodeUni,\
msg:'PHP Injection Attack: Variables Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Functions: Low-Value PHP Function Calls ]
#
# In paranoia level 3, we add additional checks for the remaining PHP functions.
#
# Most of these function names are likely to cause false positives in natural text
# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'.
# Therefore, these function names are not scanned in lower paranoia levels.
#
# To mitigate the risk of false positives somewhat, a regexp is used to look for
# PHP function syntax. (See rule 933160 for a description.)
#
# This rule is a stricter sibling of rule 933160.
#
# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
"id:933161,\
phase:2,\
block,\
capture,\
t:none,\
msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [ PHP Script Uploads: Superfluous extension ]
#
# Block file uploads with PHP related extensions (.php, .phps, .phtml,
# .php5 etc) anywhere in the name, followed by a dot.
#
# Example: index.php.tmp
#
# Uploading of such files can lead to remote code execution if
# Apache is configured with AddType and MultiViews, as Apache will
# automatically do a filename match when the extension is unknown.
# This configuration is fortunately not common in modern installs.
#
# Blocking these file names might lead to more false positives.
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
# This rule is a stricter sibling of rule 933110.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
"id:933111,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: PHP Script File Upload Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
# [ PHP Closing Tag Found ]
#
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
#
# This check was extracted from 933100 (paranoia level 1), since the
# checked sequence '?>' commonly causes false positives.
# See issue #654 for discussion.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
"msg:'PHP Injection Attack: PHP Closing Tag Found',\
phase:2,\
ver:'OWASP_CRS/3.1.1',\
t:none,t:urlDecodeUni,\
ctl:auditLogParts=+E,\
block,\
capture,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
id:933190,\
severity:'CRITICAL',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
tag:'paranoia-level/3',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP"

900
confs/owasp-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf Normal file
View File

@ -0,0 +1,900 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Libinjection - XSS Detection ]=-
#
# Ref: https://github.com/client9/libinjection
# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss
#
# -=[ Targets ]=-
#
# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|
# ARGS_NAMES|ARGS|XML:/*
#
# 941101: PL2 : REQUEST_HEADERS:Referer
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
"id:941100,\
phase:2,\
block,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Attack Detected via libinjection',\
logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ XSS Filters - Category 1 ]=-
# http://xssplayground.net23.net/xssfilter.html
# script tag based XSS vectors, e.g., <script> alert(1)</script>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<]script[^>]*[>][\s\S]*?" \
"id:941110,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 1: Script Tag Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ XSS Filters - Category 2 ]=-
# XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \
"id:941120,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 2: Event Handler Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ XSS Filters - Category 3 ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
"id:941130,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 3: Attribute Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ XSS Filters - Category 4 ]=-
# XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \
"id:941140,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 4: Javascript URI Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ NoScript XSS Filters ]=-
# Ref: http://noscript.net/
#
# [NoScript InjectionChecker] HTML injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \
"id:941160,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'NoScript XSS InjectionChecker: HTML Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [NoScript InjectionChecker] Attributes injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \
"id:941170,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'NoScript XSS InjectionChecker: Attribute Injection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# [Blacklist Keywords from Node-Validator]
# https://raw.github.com/chriso/node-validator/master/validator.js
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write document[ self[ .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
"id:941180,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
msg:'Node-Validator Blacklist Keywords',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ XSS Filters from IE ]=-
# Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
# Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
"id:941190,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
"id:941200,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
"id:941210,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
"id:941220,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
"id:941230,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
"id:941240,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
"id:941250,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
"id:941260,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
"id:941270,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
"id:941280,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
"id:941290,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
"id:941300,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
# US-ASCII encoding bypass listed on XSS filter evasion
# Reported by Mazin Ahmed
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \
"id:941310,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-tomcat',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# UTF-7 encoding XSS filter evasion for IE.
# Reported by Vladimir Ivanov
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \
"id:941350,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-internet-explorer',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# This is a stricter sibling of rule 941100.
#
SecRule REQUEST_HEADERS:Referer "@detectXSS" \
"id:941101,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Attack Detected via libinjection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ XSS Filters - Category 5 ]=-
# HTML attribues - src, style and href
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
"id:941150,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
# Detect tags that are the most common direct HTML injection points.
#
# <a href=javascript:...
# <applet src="..." type=text/html>
# <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
# <base href=javascript:...
# <base href=... // change base URL to something else to exploit relative filename inclusion
# <bgsound src=javascript:...
# <body background=javascript:...
# <body onload=...
# <embed src=http://www.example.com/flash.swf allowScriptAccess=always
# <embed src="data:image/svg+xml;
# <frameset><frame src="javascript:..."></frameset>
# <iframe src=javascript:...
# <img src=x onerror=...
# <input type=image src=javascript:...
# <layer src=...
# <link href="javascript:..." rel="stylesheet" type="text/css"
# <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
# <meta http-equiv="refresh" content="0;url=javascript:..."
# <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
# <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
# <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
# <object data=http://www.example.com
# <object type=text/x-scriptlet data=...
# <object type=application/x-shockwave-flash data=xss.swf>
# <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
# <script>...</script>
# <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
# <script src="data:text/javascript,alert(1)"></script>
# <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
# <style>STYLE</style>
# <style type=text/css>STYLE</style>
# <style type=text/javascript>alert('xss')</style>
# <table background=javascript:...
# <td background=javascript:
#
#
# NOTES
#
# - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
#
# - Not using closing brackets because they are not needed for the
# attacks to succeed. The following seems to work in FF: <body/s/onload=...
#
# - Also, browsers sometimes tend to translate < into >, in order to "repair"
# what they think was a mistake made by the programmer/template designer.
#
# - Browsers are flexible when it comes to what they accept as separator between
# tag names and attributes. The following is commonly used in payloads: <img/src=...
# A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
#
# - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
# but I don't believe we need to look for quotes anywhere.
#
# - Links do not have to be fully qualified. For example, the following works:
# <script src="//ha.ckers.org/.j">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
"id:941320,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
msg:'Possible XSS Attack Detected - HTML Tag Handler',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A2',\
tag:'OWASP_AppSensor/IE1',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
"id:941330,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A2',\
tag:'OWASP_AppSensor/IE1',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
"id:941340,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A2',\
tag:'OWASP_AppSensor/IE1',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-941-APPLICATION-ATTACK-XSS"

1571
confs/owasp-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Normal file
View File

File diff suppressed because it is too large Load Diff

138
confs/owasp-crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf Normal file
View File

@ -0,0 +1,138 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
# http://projects.webappsec.org/w/page/13246960/Session%20Fixation
# http://capec.mitre.org/data/definitions/61.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"id:943100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
tag:'WASCTC/WASC-37',\
tag:'CAPEC-61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
"id:943110,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
tag:'WASCTC/WASC-37',\
tag:'CAPEC-61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
"capture,\
chain"
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
"id:943120,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-fixation',\
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
tag:'WASCTC/WASC-37',\
tag:'CAPEC-61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

301
confs/owasp-crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf Normal file
View File

@ -0,0 +1,301 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\.lang\.(?:runtime|processbuilder)" \
"id:944100,\
phase:2,\
block,\
log,\
msg:'Remote Command Execution: Suspicious Java class detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
t:none,t:lowercase,\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
#
# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains
# java. unmarshaller or base64data to trigger a potential payload execution
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:runtime|processbuilder)" \
"id:944110,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
# Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
"id:944120,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
"t:none,t:lowercase,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@pmf java-classes.data" \
"id:944130,\
phase:2,\
block,\
log,\
msg:'Suspicious Java class detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
t:none,t:lowercase,\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
#
# Detect exploitation of "Java deserialization" Apache Commons.
#
# Based on rules by @spartantri.
# https://spartantri.com/ModSecurity/?p=44
#
# Interesting references about the vulnerability
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
#
# Potential false positives with random fields, the anomaly level is set low to avoid blocking request
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx \xac\xed\x00\x05" \
"id:944200,\
phase:2,\
block,\
log,\
msg:'Magic bytes Detected, probable java serialization in use',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
# Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
"id:944210,\
phase:2,\
block,\
log,\
msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
"id:944240,\
phase:2,\
block,\
t:none,t:lowercase,\
log,\
msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\b.+(?:runtime|processbuilder)" \
"id:944250,\
phase:2,\
block,\
log,\
msg:'Remote Command Execution: Suspicious Java method detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
t:lowercase,\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
# Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded
# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
#for item in keywords:
# pad='\x00'
# for padding in xrange(3):
# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:],
#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
"id:944300,\
phase:2,\
block,\
t:none,\
log,\
msg:'Base64 encoded string matched suspicious keyword',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"

132
confs/owasp-crs/REQUEST-949-BLOCKING-EVALUATION.conf Normal file
View File

@ -0,0 +1,132 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Summing up the anomaly score.
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
SecRule TX:PARANOIA_LEVEL "@ge 1" \
"id:949060,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
SecRule TX:PARANOIA_LEVEL "@ge 2" \
"id:949061,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
SecRule TX:PARANOIA_LEVEL "@ge 3" \
"id:949062,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'"
SecRule TX:PARANOIA_LEVEL "@ge 4" \
"id:949063,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'"
SecMarker "BEGIN-REQUEST-BLOCKING-EVAL"
# These rules use the anomaly score settings specified in the 10 config file.
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# -=[ IP Reputation Checks ]=-
#
# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
#
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"id:949100,\
phase:2,\
deny,\
log,\
msg:'Request Denied by IP Reputation Enforcement.',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
severity:'CRITICAL',\
chain"
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
"setvar:'tx.inbound_tx_msg=%{tx.msg}',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
#
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
#
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
log,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
severity:'CRITICAL',\
setvar:'tx.inbound_tx_msg=%{tx.msg}',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"

110
confs/owasp-crs/RESPONSE-950-DATA-LEAKAGES.conf Normal file
View File

@ -0,0 +1,110 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# The paranoia level skip rules 950020, 950021 and 950022 have odd
# numbers not in sync with other paranoia level skip rules in other
# files. This is done to avoid rule id collisions with CRSv2.
# This is also true for rule 950130.
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950020,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Directory Listing ]=-
#
SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
"id:950130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Directory Listing',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
#
# -=[ The application is not available - 5xx level status code ]=-
#
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
"id:950100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'The Application Returned a 500-Level Status Code',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950022,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-950-DATA-LEAKAGES"

489
confs/owasp-crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf Normal file
View File

@ -0,0 +1,489 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ SQL Error Leakages ]=-
#
# Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml
# Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps
#
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
"id:951100,\
phase:4,\
pass,\
nolog,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
ver:'OWASP_CRS/3.1.1',\
setvar:'tx.sql_error_match=1'"
SecRule TX:sql_error_match "@eq 1" \
"id:951110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Microsoft Access SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-msaccess',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Oracle SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-oracle',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'DB2 SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-db2',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'EMC SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-emc',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'firebird SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-firebird',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951160,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Frontbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-frontbase',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951170,\
phase:4,\
block,\
capture,\
t:none,\
msg:'hsqldb SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-hsqldb',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951180,\
phase:4,\
block,\
capture,\
t:none,\
msg:'informix SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-informix',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951190,\
phase:4,\
block,\
capture,\
t:none,\
msg:'ingres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-ingres',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951200,\
phase:4,\
block,\
capture,\
t:none,\
msg:'interbase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-interbase',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951210,\
phase:4,\
block,\
capture,\
t:none,\
msg:'maxDB SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-maxdb',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mssql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mssql',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951230,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mysql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mysql',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951240,\
phase:4,\
block,\
capture,\
t:none,\
msg:'postgres SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-pgsql',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951250,\
phase:4,\
block,\
capture,\
t:none,\
msg:'sqlite SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sqlite',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951260,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Sybase SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-sybase',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
tag:'CWE-209',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"

107
confs/owasp-crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf Normal file
View File

@ -0,0 +1,107 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ Java Source Code Leakages ]=-
#
SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
"id:952100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Java Source Code Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ Java Errors ]=-
#
# Ref: https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/error_pages.py
#
SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
"id:952110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Java Errors',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"

141
confs/owasp-crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf Normal file
View File

@ -0,0 +1,141 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ PHP Error Message Leakage ]=-
#
SecRule RESPONSE_BODY "@pmf php-errors.data" \
"id:953100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# -=[ PHP source code leakage ]=-
#
# Detect some common PHP keywords in output.
#
SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
"id:953110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
# Detect the presence of the PHP open tag "<?" or "<?php" in output.
#
# To prevent false positives due to the short "<?" sequence, an attempt
# is made to stop alerts in binary output. This is done by detecting
# some common binary file format headers, such as gzip (\x1f\x8b\x08),
# png (IHDR), mp3 (ID3), movie formats et cetera.
#
SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
"id:953120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PHP source code leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
"t:none,\
capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-953-DATA-LEAKAGES-PHP"

154
confs/owasp-crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf Normal file
View File

@ -0,0 +1,154 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
# IIS default location
SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
"id:954100,\
phase:4,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Disclosure of IIS install location',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
"id:954110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Application Availability Error',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
#
# IIS Errors leakage
#
SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
"id:954120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'IIS Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule RESPONSE_STATUS "!@rx ^404$" \
"id:954130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'IIS Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-iis',\
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
tag:'WASCTC/WASC-13',\
tag:'OWASP_TOP_10/A6',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.1',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
"t:none,\
capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"

108
confs/owasp-crs/RESPONSE-959-BLOCKING-EVALUATION.conf Normal file
View File

@ -0,0 +1,108 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "@gt 20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
# You should also set the desired disruptive action (deny, redirect, etc...).
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Summing up the anomaly score.
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
SecRule TX:PARANOIA_LEVEL "@ge 1" \
"id:959060,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:PARANOIA_LEVEL "@ge 2" \
"id:959061,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:PARANOIA_LEVEL "@ge 3" \
"id:959062,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:PARANOIA_LEVEL "@ge 4" \
"id:959063,\
phase:4,\
pass,\
t:none,\
nolog,\
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
# Alert and Block on High Anomaly Scores - this would block outbound data leakages
#
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:959100,\
phase:4,\
deny,\
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"

161
confs/owasp-crs/RESPONSE-980-CORRELATION.conf Normal file
View File

@ -0,0 +1,161 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase). Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
#
# -=[ Correlated Successful Attack ]=-
#
SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
"id:980100,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
severity:'EMERGENCY',\
chain,\
skipAfter:END-CORRELATION"
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
#
# -=[ Correlated Attack Attempt ]=-
#
SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
"id:980110,\
phase:5,\
pass,\
t:none,\
log,\
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
severity:'ALERT',\
tag:'event-correlation',\
chain,\
skipAfter:END-CORRELATION"
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
# Creating a total sum of all triggered inbound rules, including the ones only being monitored
SecAction \
"id:980115,\
phase:5,\
pass,\
t:none,\
nolog,\
noauditlog,\
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}'"
SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
"id:980120,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:980130,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:980140,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation'"
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
SecAction \
"id:980145,\
phase:5,\
pass,\
t:none,\
nolog,\
noauditlog,\
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
"id:980150,\
phase:5,\
pass,\
t:none,\
log,\
noauditlog,\
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
SecMarker "END-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-980-CORRELATION"

75
confs/owasp-crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example Normal file
View File

@ -0,0 +1,75 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.1.1
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site.
# The types of rules that would go into this file are one where you want
# to unconditionally disable rules or modify their actions during startup.
#
# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
# for a description of the rule exclusions mechanism and the correct
# use of this file.
#
#
# Example Exclusion Rule: To unconditionally disable a rule ID
#
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
# SecRuleRemoveById 942100
# Example Exclusion Rule: Remove a group of rules
#
# ModSecurity Rule Exclusion: Disable PHP injection rules
# SecRuleRemoveByTag "attack-injection-php"
#
# Example Exclusion Rule: To unconditionally remove parameter "foo" from
# inspection for SQLi rules
#
# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
#
# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
# against your policy. To apply a disruptive action, they overwrite the default
# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
# This 'deny' is by default paired with a 'status:403' action.
#
# In order to change the disruptive action from 'deny' to something else,
# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
#
# These actions only apply when using Anomaly Mode.
#
# Default action: block with error 403
# (No configuration needed in this file if you want the default behavior.)
#
# Example: redirect back to the homepage on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
# Example: redirect to another URL on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
# Example: send an error 404
#
# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
# Example: drop the connection (best for DoS attacks)
#
# SecRuleUpdateActionById 949110 "t:none,drop"
# SecRuleUpdateActionById 959100 "t:none,drop"

34
confs/owasp-crs/crawlers-user-agents.data Normal file
View File

@ -0,0 +1,34 @@
# Search engine crawlers and other bots
# site ripper
# http://www.softbytelabs.com/en/BlackWidow/
black widow
blackwidow
# crawler
# 2006
prowebwalker
# generic crawler
pymills-spider/
# SEO
# https://ahrefs.com/robot
AhrefsBot
# people database
# https://pipl.com/bot/
PiplBot
# advertising targeting
# https://www.grapeshot.com/crawler/
GrapeshotCrawler/2.0
grapeFX
# SEO
# http://www.searchmetrics.com/searchmetricsbot/
SearchmetricsBot
# SEO
# https://moz.com/help/guides/moz-procedures/what-is-rogerbot
rogerbot
# SEO
# http://www.majestic12.co.uk/projects/dsearch/mj12bot.php
MJ12bot
# news service
Owlin bot
# misbehaving spider
Lingewoud-550-Spyder

13
confs/owasp-crs/iis-errors.data Normal file
View File

@ -0,0 +1,13 @@
<h2 style="font:8pt/11pt verdana; color:000000">HTTP 403.6 - Forbidden: IP address rejected<br>
<TITLE>500 Internal Server Error</TITLE>
Microsoft VBScript runtime (0x8
error '800
Application uses a value of the wrong type for the current operation
Microsoft VBScript compilation (0x8
Microsoft VBScript compilation error
Microsoft .NET Framework Version:
A trappable error occurred in an external object. The script cannot continue running
Microsoft VBScript runtime Error
>Syntax error in string in query expression
ADODB.Command
Object required: '

38
confs/owasp-crs/java-classes.data Normal file
View File

@ -0,0 +1,38 @@
com.opensymphony.xwork2
com.sun.org.apache
java.io.BufferedInputStream
java.io.BufferedReader
java.io.ByteArrayInputStream
java.io.ByteArrayOutputStream
java.io.CharArrayReader
java.io.DataInputStream
java.io.File
java.io.FileOutputStream
java.io.FilterInputStream
java.io.FilterOutputStream
java.io.FilterReader
java.io.InputStream
java.io.InputStreamReader
java.io.LineNumberReader
java.io.ObjectOutputStream
java.io.OutputStream
java.io.PipedOutputStream
java.io.PipedReader
java.io.PrintStream
java.io.PushbackInputStream
java.io.Reader
java.io.StringReader
java.lang.Class
java.lang.Integer
java.lang.Number
java.lang.Object
java.lang.Process
java.lang.ProcessBuilder
java.lang.reflect
java.lang.Runtime
java.lang.String
java.lang.StringBuilder
java.lang.System
javax.script.ScriptEngineManager
org.apache.commons
org.omg.CORBA

17
confs/owasp-crs/java-code-leakages.data Normal file
View File

@ -0,0 +1,17 @@
<jsp:
javax.servlet
.addheader
.createtextfile
.getfile
.loadfromfile
response.binarywrite
response.write
scripting.filesystemobject
server.createobject
server.execute
server.htmlencode
server.mappath
server.urlencode
vbscript.encode
wscript.network
wscript.shell

10
confs/owasp-crs/java-errors.data Normal file
View File

@ -0,0 +1,10 @@
[java.lang.
class java.lang.
java.lang.NullPointerException
java.rmi.ServerException
at java.lang.
onclick="toggle('full exception chain stacktrace')"
at org.apache.catalina
at org.apache.coyote.
at org.apache.tomcat.
at org.apache.jasper.

1115
confs/owasp-crs/lfi-os-files.data Normal file
View File

File diff suppressed because it is too large Load Diff

276
confs/owasp-crs/php-config-directives.data Normal file
View File

@ -0,0 +1,276 @@
allow_call_time_pass_reference
allow_url_fopen
allow_url_include
always_populate_raw_post_data
arg_separator.input
arg_separator.output
asp_tags
assert.active
assert.bail
assert.callback
assert.quiet_eval
assert.warning
auto_append_file
auto_detect_line_endings
auto_globals_jit
auto_prepend_file
bcmath.scale
birdstep.max_links
browscap
cgi.fix_pathinfo
cgi.force_redirect
cgi.nph
cgi.redirect_status_env
cgi.rfc2616_headers
com.allow_dcom
com.autoregister_casesensitive
com.autoregister_typelib
com.autoregister_verbose
com.code_page
com.typelib_file
date.default_latitude
date.default_longitude
date.sunrise_zenith
date.sunset_zenith
date.timezone
dba.default_handler
default_charset
default_mimetype
default_socket_timeout
define_syslog_variables
disable_classes
disable_functions
display_errors
display_startup_errors
doc_root
docref_ext
docref_root
enable_dl
error_append_string
error_log
error_prepend_string
error_reporting
exif.decode_jis_intel
exif.decode_jis_motorola
exif.decode_unicode_intel
exif.decode_unicode_motorola
exif.encode_jis
exif.encode_unicode
expose_php
extension_dir
fastcgi.impersonate
fastcgi.logging
file_uploads
filter.default
filter.default_flags
gd.jpeg_ignore_warning
highlight.bg
highlight.comment
highlight.default
highlight.html
highlight.keyword
highlight.string
html_errors
ibase.allow_persistent
ibase.dateformat
ibase.default_charset
ibase.default_db
ibase.default_password
ibase.default_user
ibase.max_links
ibase.max_persistent
ibase.timeformat
ibase.timestampformat
iconv.input_encoding
iconv.internal_encoding
iconv.output_encoding
ignore_repeated_errors
ignore_repeated_source
ignore_user_abort
implicit_flush
include_path
intl.default_locale
intl.error_level
ldap.max_links
log_errors
log_errors_max_len
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase
mail.add_x_header
mail.force_extra_parameters
mail.log
max_execution_time
max_file_uploads
max_input_nesting_level
max_input_time
mbstring.detect_order
mbstring.encoding_translation
mbstring.func_overload
mbstring.http_input
mbstring.http_output
mbstring.http_output_conv_mimetype
mbstring.internal_encoding
mbstring.language
mbstring.script_encoding
mbstring.strict_detection
mbstring.substitute_character
mcrypt.algorithms_dir
mcrypt.modes_dir
memory_limit
mssql.allow_persistent
mssql.batchsize
mssql.charset
mssql.compatability_mode
mssql.connect_timeout
mssql.datetimeconvert
mssql.max_links
mssql.max_persistent
mssql.max_procs
mssql.min_error_severity
mssql.min_message_severity
mssql.secure_connection
mssql.textlimit
mssql.textsize
mssql.timeout
mysql.allow_local_infile
mysql.allow_persistent
mysql.cache_size
mysql.connect_timeout
mysql.default_host
mysql.default_password
mysql.default_port
mysql.default_socket
mysql.default_user
mysql.max_links
mysql.max_persistent
mysql.trace_mode
mysqli.allow_local_infile
mysqli.allow_persistent
mysqli.cache_size
mysqli.default_host
mysqli.default_port
mysqli.default_pw
mysqli.default_socket
mysqli.default_user
mysqli.max_links
mysqli.max_persistent
mysqli.reconnect
mysqlnd.collect_memory_statistics
mysqlnd.collect_statistics
mysqlnd.net_cmd_buffer_size
mysqlnd.net_read_buffer_size
oci8.connection_class
oci8.default_prefetch
oci8.events
oci8.max_persistent
oci8.old_oci_close_semantics
oci8.persistent_timeout
oci8.ping_interval
oci8.privileged_connect
oci8.statement_cache_size
odbc.allow_persistent
odbc.check_persistent
odbc.default_db
odbc.default_pw
odbc.default_user
odbc.defaultbinmode
odbc.defaultlrl
odbc.max_links
odbc.max_persistent
open_basedir
output_buffering
output_handler
pcre.backtrack_limit
pcre.recursion_limit
pdo_mysql.cache_size
pdo_mysql.default_socket
pdo_odbc.connection_pooling
pgsql.allow_persistent
pgsql.auto_reset_persistent
pgsql.ignore_notice
pgsql.log_notice
pgsql.max_links
pgsql.max_persistent
phar.cache_list
phar.readonly
phar.require_hash
post_max_size
realpath_cache_size
realpath_cache_ttl
register_argc_argv
register_globals
register_long_arrays
report_memleaks
report_zend_debug
request_order
safe_mode
safe_mode_allowed_env_vars
safe_mode_exec_dir
safe_mode_gid
safe_mode_include_dir
safe_mode_protected_env_vars
sendmail_from
sendmail_path
serialize_precision
session.auto_start
session.bug_compat_42
session.bug_compat_warn
session.cache_expire
session.cache_limiter
session.cookie_domain
session.cookie_httponly
session.cookie_lifetime
session.cookie_path
session.cookie_secure
session.entropy_file
session.entropy_length
session.gc_divisor
session.gc_maxlifetime
session.gc_probability
session.hash_bits_per_character
session.hash_function
session.name
session.referer_check
session.save_handler
session.save_path
session.serialize_handler
session.use_cookies
session.use_only_cookies
session.use_trans_sid
short_open_tag
soap.wsdl_cache_dir
soap.wsdl_cache_enabled
soap.wsdl_cache_limit
soap.wsdl_cache_ttl
sql.safe_mode
sqlite.assoc_case
sqlite3.extension_dir
sybct.allow_persistent
sybct.deadlock_retry_count
sybct.hostname
sybct.login_timeout
sybct.max_links
sybct.max_persistent
sybct.min_client_severity
sybct.min_server_severity
sybct.timeout
sysvshm.init_mem
tidy.clean_output
tidy.default_config
track_errors
unserialize_callback_func
upload_max_filesize
upload_tmp_dir
url_rewriter.tags
user_agent
user_dir
user_ini.cache_ttl
user_ini.filename
variables_order
xmlrpc_error_number
xmlrpc_errors
y2k_compliance
zlib.output_compression
zlib.output_compression_level
zlib.output_handler

220
confs/owasp-crs/php-errors.data Normal file
View File

@ -0,0 +1,220 @@
<b>Warning</b>:
No row with the given identifier
open_basedir restriction in effect
eval()'d code</b> on line <b>
Cannot execute a blank command in
Fatal error</b>: preg_replace
thrown in <b>
#0 {main}
Stack trace:
</b> on line <b>
() cannot be called statically
- not a Class::Method
::__toString() must not throw an exception
Access to undeclared static property:
An iterator cannot be used with foreach by reference
Array callback has to contain indices 0 and 1
Arrived at end of main loop which shouldn't happen
Attempt to destruct pending exception
Attempt to unset static property
Balloc() allocation exceeds list boundary
Balloc() failed to allocate memory
Base lambda function for closure not found
Call to a member function
Call to private
Call to protected
Call to undefined function
Call to undefined method
Can only throw objects
Cannot access empty property
Cannot access parent:: when current class scope has no parent
Cannot access parent:: when no class scope is active
Cannot access property started with '\\0'
Cannot access self:: when no class scope is active
Cannot access static:: when no class scope is active
Cannot access undefined property for object with overloaded property access
Cannot assign by reference to overloaded object
Cannot break/continue %d level%s
Cannot call abstract method
Cannot call constructor
Cannot call forward_static_call() when no class scope is active
Cannot call non static method
Cannot call overloaded function for non-object
Cannot call private
Cannot create references to/from string offsets
Cannot create references to/from string offsets nor overloaded objects
Cannot declare self-referencing constant
Cannot destroy active lambda function
Cannot get arguments for
Cannot increment/decrement overloaded objects nor string offsets
Cannot instantiate abstract class
Cannot instantiate interface
Cannot instantiate trait
Cannot override final
Cannot pass parameter
Cannot redeclare
Cannot redeclare class
Cannot register a reverse output handler conflict outside of MINIT
Cannot register an output handler alias outside of MINIT
Cannot register an output handler conflict outside of MINIT
Cannot resume an already running generator
Cannot return string offsets by reference
Cannot set non exception as previous exception
Cannot unset string offsets
Cannot use [] for reading
Cannot use assign-op operators with overloaded objects nor string offsets
Cannot use object as array
Cannot use object of type
Cannot use string offset as an array
Cannot use string offset as an object
Cannot yield from finally in a force-closed generator
Cannot yield string offsets by reference
Class entry requested for an object without PHP class
Class name must be a valid object or a string
Corrupted fcall_info provided to zend_call_function()
DCOM has been disabled by your administrator [com.allow_dcom=0]
DateFormat class not defined
DateTimeInterface can't be implemented by user classes
EXTREMELY fatal error: jmpbuf unrecoverable; terminating
EXTREMELY fatal error: jmpbuf unrecoverable; terminating.
EXTREMELY fatal error: longjmp returned control; terminating
Encoding: '*' may only be first arraySize value in list
Encoding: Attribute
Encoding: Can't decode apache map, missing key
Encoding: Can't decode apache map, missing value
Encoding: Can't decode apache map, only Strings or Longs are allowd as keys
Encoding: Cannot find encoding
Encoding: Element
Encoding: Error calling from_xml callback
Encoding: Error calling to_xml callback
Encoding: External reference
Encoding: Internal Error
Encoding: Invalid timestamp
Encoding: SoapVar has no 'enc_type' property
Encoding: Unresolved reference
Encoding: Violation of encoding rules
Encoding: Violation of id and ref information items
Encoding: object has no '
Encoding: object has no 'any' property
Encoding: string '
Error installing signal handler for
Exception thrown without a stack frame
Exceptions must be valid objects derived from the Exception base class
Failed to clone SpoofChecker object
Failed to register IntlDateFormatter class
Failed to register MessageFormatter class
Failed to register NumberFormatter class
Failed to register ResourceBundle class
Field width %d is too long
First array member is not a valid class name or object
Function name must be a string
Illegal length modifier specified
Illegal offset type
Input string is too long
Invalid RelaxNG Validation Context
Invalid Schema Validation Context
Invalid opcode
Invalid serialization data for DatePeriod object
Invalid serialization data for DateTime object
Invalid serialization data for DateTimeImmutable object
Maximum execution time of
Method name must be a string
Need to supply an object when throwing an exception
Nesting level too deep - recursive dependency?
NumberFormatter class not defined
Object does not support method calls
Only variables can be passed by reference
PDO: driver
Parsing Schema: <restriction> or <extension> expected in complexContent
Parsing Schema: attribute
Parsing Schema: attribute has both 'ref' and 'type' attributes
Parsing Schema: attribute has both 'ref' attribute and subtype
Parsing Schema: attribute has both 'type' attribute and subtype
Parsing Schema: attribute has no 'name' nor 'ref' attributes
Parsing Schema: attributeGroup
Parsing Schema: attributeGroup has both 'ref' attribute and subattribute
Parsing Schema: attributeGroup has no 'name' nor 'ref' attributes
Parsing Schema: can't import schema from
Parsing Schema: complexType has no 'name' attribute
Parsing Schema: element has both 'default' and 'fixed' attributes
Parsing Schema: element has both 'itemType' attribute and subtype
Parsing Schema: element has both 'ref' and 'fixed' attributes
Parsing Schema: element has both 'ref' and 'nillable' attributes
Parsing Schema: element has both 'ref' and 'type' attributes
Parsing Schema: element has both 'ref' attribute and subtype
Parsing Schema: element has both 'type' attribute and subtype
Parsing Schema: element has no 'name' nor 'ref' attributes
Parsing Schema: expected <restriction> or <extension> in simpleContent
Parsing Schema: expected <restriction>, <list> or <union> in simpleType
Parsing Schema: extension has no 'base' attribute
Parsing Schema: group has both 'ref' attribute and subcontent
Parsing Schema: group has no 'name' nor 'ref' attributes
Parsing Schema: include has no 'schemaLocation' attribute
Parsing Schema: missing restriction value
Parsing Schema: redefine has no 'schemaLocation' attribute
Parsing Schema: restriction has no 'base' attribute
Parsing Schema: simpleType has no 'name' attribute
Parsing Schema: unexpected
Parsing Schema: unresolved element 'ref' attribute
Parsing Schema: unresolved group 'ref' attribute
Parsing WSDL: <binding>
Parsing WSDL: <binding> has no name attribute
Parsing WSDL: <fault> with name
Parsing WSDL: <message> has no name attribute
Parsing WSDL: <portType>
Parsing WSDL: <portType> has no name attribute
Parsing WSDL: <service>
Parsing WSDL: <service> has no name attribute
Parsing WSDL: Could not find any usable binding services in WSDL.
Parsing WSDL: Couldn't bind to service
Parsing WSDL: Couldn't find <definitions> in
Parsing WSDL: Couldn't load from
Parsing WSDL: Missing 'name' attribute for <binding>
Parsing WSDL: Missing 'name' attribute for <operation>
Parsing WSDL: Missing 'type' attribute for <binding>
Parsing WSDL: Missing <message> with name
Parsing WSDL: Missing <portType> with name
Parsing WSDL: Missing <portType>/<operation> with name
Parsing WSDL: Missing message attribute for <header>
Parsing WSDL: Missing name for <fault> of
Parsing WSDL: Missing name for <input> of
Parsing WSDL: Missing name for <output> of
Parsing WSDL: Missing part '%s' in <message>
Parsing WSDL: Missing part attribute for <header>
Parsing WSDL: No <binding> element with name
Parsing WSDL: No address associated with <port>
Parsing WSDL: No binding associated with <port>
Parsing WSDL: No location associated with <port>
Parsing WSDL: No name associated with <part>
Parsing WSDL: The fault message
Parsing WSDL: Unexpected WSDL element <
Parsing WSDL: Unexpected extensibility element <
Parsing WSDL: Unknown encodingStyle '
Parsing WSDL: Unknown required WSDL extension '
Parsing WSDL: Unspecified encodingStyle
Possible integer overflow in memory allocation (
Second array member is not a valid method
Spoofchecker class not defined
String size overflow
The object to be iterated is in an invalid state: "
Trying to clone an uncloneable object
Trying to clone an uncloneable object of class
Unable to call
Unable to cast node to string
Undefined class constant '
Undefined constant '
Undefined offset for object of type
Unexpected inconsistency in create_function()
Unknown SOAP version
Unknown typehint
Unsupported operand types
Using $this when not in object context
Wrong parameters for ErrorException(
Wrong parameters for Exception(
You MUST load PDO before loading any PDO drivers
[] operator not supported for strings
and must therefore be declared abstract or implement the remaining methods
namespace must not match the enclosing schema 'targetNamespace'
requires PDO API version
PDO Connection Error: SQLSTATE[HY000]
(HY000/2002): Connection refused

39
confs/owasp-crs/php-function-names-933150.data Normal file
View File

@ -0,0 +1,39 @@
__halt_compiler
apache_child_terminate
base64_decode
bzdecompress
call_user_func
call_user_func_array
call_user_method
call_user_method_array
convert_uudecode
file_get_contents
file_put_contents
fsockopen
gzdecode
gzinflate
gzuncompress
include_once
invokeargs
pcntl_exec
pcntl_fork
pfsockopen
posix_getcwd
posix_getpwuid
posix_getuid
posix_uname
ReflectionFunction
require_once
shell_exec
str_rot13
sys_get_temp_dir
wp_remote_fopen
wp_remote_get
wp_remote_head
wp_remote_post
wp_remote_request
wp_safe_remote_get
wp_safe_remote_head
wp_safe_remote_post
wp_safe_remote_request
zlib_decode

1269
confs/owasp-crs/php-function-names-933151.data Normal file
View File

File diff suppressed because it is too large Load Diff

19
confs/owasp-crs/php-variables.data Normal file
View File

@ -0,0 +1,19 @@
$GLOBALS
$HTTP_COOKIE_VARS
$HTTP_ENV_VARS
$HTTP_GET_VARS
$HTTP_POST_FILES
$HTTP_POST_VARS
$HTTP_RAW_POST_DATA
$HTTP_REQUEST_VARS
$HTTP_SERVER_VARS
$_COOKIE
$_ENV
$_FILES
$_GET
$_POST
$_REQUEST
$_SERVER
$_SESSION
$argc
$argv

116
confs/owasp-crs/restricted-files.data Normal file
View File

@ -0,0 +1,116 @@
# Apache
# (no slash; also guards against old.htaccess, old.htpasswd, etc.)
.htaccess
.htdigest
.htpasswd
# dotfiles (keep in sync with lfi-os-files.data)
.aptitude/config
.bash_config
.bash_history
.bash_logout
.bash_profile
.bashrc
.cache/notify-osd.log
.config/odesk/odesk team.conf
.cshrc
.drush/
.gitconfig
.gnupg/
.hplip/hplip.conf
.ksh_history
.lesshst
.lftp/
.lhistory
.lldb-history
.local/share/mc/
.my.cnf
.mysql_history
.nano_history
.node_repl_history
.nsr
.pearrc
.php_history
.pki/
.profile
.psql_history
.python_history
.rediscli_history
.Rhistory
.sh_history
.sqlite_history
.ssh/authorized_keys
.ssh/config
.ssh/id_dsa
.ssh/id_dsa.pub
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/identity
.ssh/identity.pub
.ssh/known_hosts
.subversion/auth
.subversion/config
.subversion/servers
.tconn/tconn.conf
.tcshrc
.vidalia/vidalia.conf
.viminfo
.vimrc
.xauthority
.zhistory
.zshrc
.zsh_history
.nsconfig
# Version control
/.git/
/.gitignore
/.hg/
/.hgignore
/.svn/
# Wordpress
wp-config.php
wp-config.bak
wp-config.old
wp-config.temp
wp-config.tmp
wp-config.txt
# Symfony
/config/config.yml
/config/config_dev.yml
/config/config_prod.yml
/config/config_test.yml
/config/parameters.yml
/config/routing.yml
/config/security.yml
/config/services.yml
# Drupal
/sites/default/default.settings.php
/sites/default/settings.php
/sites/default/settings.local.php
# Magento
/app/etc/local.xml
# Sublime Text
/sftp-config.json
# ASP.NET
/Web.config
# Node
/package.json
/package-lock.json
/gruntfile.js
/npm-debug.log
/ormconfig.json
/tsconfig.json
/webpack.config.js
/yarn.lock
# Composer
/composer.json
/composer.lock
/packages.json
# dotenv
/.env
/.env
# OSX
/.DS_Store
# WS FTP
/.ws_ftp.ini
# common, old network config file
.netrc

23
confs/owasp-crs/restricted-upload.data Normal file
View File

@ -0,0 +1,23 @@
# Apache webserver
.htaccess
.htdigest
.htpasswd
# WordPress configuration file
wp-config.php
# Symfony configuration files
config.yml
config_dev.yml
config_prod.yml
config_test.yml
parameters.yml
routing.yml
security.yml
services.yml
# Drupal configuration files
default.settings.php
settings.php
settings.local.php
# Magento configuration files
local.xml
# dotenv configuration file
.env

8
confs/owasp-crs/scanners-headers.data Normal file
View File

@ -0,0 +1,8 @@
acunetix-product
(acunetix web vulnerability scanner
acunetix-scanning-agreement
acunetix-user-agreement
myvar=1234
x-ratproxy-loop
bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14
x-scanner

17
confs/owasp-crs/scanners-urls.data Normal file
View File

@ -0,0 +1,17 @@
/.adSensepostnottherenonobook
/<invalid>hello.html
/actSensepostnottherenonotive
/acunetix-wvs-test-for-some-inexistent-file
/antidisestablishmentarianism
/appscan_fingerprint/mac_address
/arachni-
/cybercop
/nessus_is_probing_you_
/nessustest
/netsparker-
/rfiinc.txt
/thereisnowaythat-you-canbethere
/w3af/remotefileinclude.html
appscan_fingerprint
w00tw00t.at.ISC.SANS.DFind
w00tw00t.at.blackhats.romanian.anti-sec

195
confs/owasp-crs/scanners-user-agents.data Normal file
View File

@ -0,0 +1,195 @@
# Vulnerability scanners, bruteforce password crackers and exploitation tools
# password cracker
# http://sectools.org/tool/hydra/
(hydra)
# vuln scanner
# http://virtualblueness.net/nasl.html
.nasl
# sql injection
# https://sourceforge.net/projects/absinthe/
absinthe
# email harvesting
# dead? 2004
advanced email extractor
# vuln scanner
# http://www.arachni-scanner.com/
arachni/
autogetcontent
# nessus frontend
# http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html
# dead? 2003
bilbo
# Backup File Artifacts Checker
# https://github.com/mazen160/bfac
BFAC
# password cracker
# http://sectools.org/tool/brutus/
brutus
brutus/aet
# sql injection
# https://www.notsosecure.com/bsqlbf-v2-blind-sql-injection-brute-forcer/
bsqlbf
# vuln scanner
# http://freecode.com/projects/cgichk dead? 2001
cgichk
# vuln scanner
# https://sourceforge.net/projects/cisco-torch/
cisco-torch
# vuln scanner
# https://github.com/stasinopoulos/commix
commix
# MS FrontPage vuln scanner?
core-project/1.0
# vuln scanner?
crimscanner/
# vuln scanner
datacha0s
# hidden page scanner
# https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
dirbuster
# vuln scanner
# https://sourceforge.net/projects/dominohunter/
domino hunter
# vuln scanner - directory traversal fuzzer
# https://github.com/wireghoul/dotdotpwn
dotdotpwn
email extractor
# vuln scanner
fhscan core 1.
floodgate
# "F-Secure Radar is a turnkey vulnerability scanning and management platform."
F-Secure Radar
get-minimal
# vuln scanner
gootkit auto-rooter scanner
grabber
# vuln scanner
# https://sourceforge.net/projects/grendel/
grendel-scan
# sql injection
havij
# vuln scanner - path disclosure finder
# http://seclists.org/fulldisclosure/2010/Sep/375
inspath
internet ninja
# vuln scanner
jaascois
# vuln scanner
zmeu
# port scanner
# https://github.com/robertdavidgraham/masscan
masscan
# vuln scanner
# http://www.severus.org/sacha/metis/
metis
# vuln scanner
morfeus fucking scanner
# sql injection
# https://github.com/dtrip/mysqloit
mysqloit
# vuln scanner
# http://www.nstalker.com/
n-stealth
# vuln scanner
# http://www.tenable.com/products/nessus-vulnerability-scanner
nessus
# vuln scanner
# https://www.netsparker.com/web-vulnerability-scanner/
netsparker
# vuln scanner
# https://cirt.net/Nikto2
nikto
# vuln scanner
nmap nse
nmap scripting engine
nmap-nse
# vuln scanner
# http://www.nsauditor.com/
nsauditor
# vuln scanner
# http://www.openvas.org/
openvas
# sql injection
# http://www.vealtel.com/software/nosec/pangolin/
pangolin
# web proxy & vuln scanner
# https://sourceforge.net/projects/paros/
paros
# phpmyadmin vuln scanner
# dead 2005?
pmafind
prog.customcrawler
# vuln scanner
# https://www.qualys.com/suite/web-application-scanning/
qualys was
s.t.a.l.k.e.r.
security scan
# vuln scanner
# https://sourceforge.net/projects/springenwerk/
springenwerk
# sql injection
# http://www.sqlpowerinjector.com/
sql power injector
# sql injection
# http://sqlmap.org/
sqlmap
# sql injection
# http://sqlninja.sourceforge.net/
sqlninja
# password cracker
# http://foofus.net/goons/jmk/medusa/medusa.html
teh forest lobster
this is an exploit
# vuln scanner?
toata dragostea
toata dragostea mea pentru diavola
# SQL bot
# http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=22142&signatureSubId=0
uil2pn
# badly scripted UAs (e.g. User-Agent: User-Agent: foo)
user-agent:
# vuln scannr
# https://subgraph.com/vega/
vega/
# vuln scanner
# dead?
voideye
# vuln scanner
# http://w3af.org/
w3af.sf.net
w3af.sourceforge.net
w3af.org
# site scanner (legacy)
# http://www.robotstxt.org/db/webbandit.html
webbandit
# vuln scanner
# http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/
webinspect
# site scanner
# http://www.scrt.ch/en/attack/downloads/webshag
webshag
# vuln scanner
# dead?
webtrends security analyzer
# vuln scanner
# https://github.com/hhucn/webvulnscan
webvulnscan
# web technology scanner
# https://www.morningstarsecurity.com/research/whatweb
whatweb
# vuln scanner
whcc/
# exploit poc
wordpress hash grabber
# exploit
xmlrpc exploit
# wordpress vuln scanner
# https://wpscan.org/
WPScan
# vuln scanner
# https://github.com/mazen160/struts-pwn
struts-pwn
# Detectify website vulnerability scanner
# https://detectify.com/
Detectify

28
confs/owasp-crs/scripting-user-agents.data Normal file
View File

@ -0,0 +1,28 @@
# Generic HTTP clients (popular libraries)
# http library
# http://search.cpan.org/~opera/HTTP-DAV/DAV.pm
dav.pm/v
# http library
# http://search.cpan.org/dist/libwww-perl/lib/LWP.pm
libwww-perl
# generic
mozilla/4.0 (compatible)
mozilla/4.0 (compatible; msie 6.0; win32)
mozilla/5.0 sf/
mozilla/5.0 sf//
# http library
# https://pypi.python.org/pypi/httplib2
python-httplib2
# http library
# http://docs.python-requests.org/en/master/
python-requests
# http library
# https://docs.python.org/2/library/urllib.html
Python-urllib
# http library
# https://github.com/typhoeus/typhoeus
typhoeus
# http library
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
winhttp.winhttprequest

80
confs/owasp-crs/sql-errors.data Normal file
View File

@ -0,0 +1,80 @@
MySqlClient.
Server message
SQL error
Oracle error
JET Database Engine
Procedure or function
SQLite.Exception
[IBM][CLI Driver][DB2/6000]
the used select statements have different number of columns
org.postgresql.util.PSQLException
Access Database Engine
Incorrect syntax near
Syntax error in string in query expression
SQLiteException
' doesn't exist
CLI Driver
on MySQL result index
sybase
com.informix.jdbc
[MySQL][ODBC
Error
has occurred in the vicinity of:
Sintaxis incorrecta cerca de
MySQL server version for the right syntax to use
com.mysql.jdbc.exceptions
You have an error in your SQL syntax near
You have an error in your SQL syntax;
An illegal character has been found in the statement
pg_query() [:
supplied argument is not a valid MySQL
mssql_query()
mysql_fetch_array()
Exception
java.sql.SQLException
Column count doesn't match value count at row
Sybase message
SQL Server
PostgreSQL query failed:
Dynamic SQL Error
System.Data.SQLite.SQLiteException
SQLite/JDBCDriver
Unclosed quotation mark before the character string
System.Data.SqlClient.
Unclosed quotation mark after the character string
System.Data.OleDb.OleDbException
[DM_QUERY_E_SYNTAX]
[SqlException
Unexpected end of command in statement
valid PostgreSQL result
pg_exec() [:
SQL Server
[SQLITE_ERROR]
Microsoft OLE DB Provider for ODBC Drivers
PostgreSQL
org.hsqldb.jdbc
ADODB.Field (0x800A0BCD)
SQL syntax
Exception
System.Data.SqlClient.SqlException
Data type mismatch in criteria expression.
Driver
DB2 SQL error
Sybase message:
ORA-
[Microsoft][ODBC SQL Server Driver]
'80040e14'
Microsoft OLE DB Provider for SQL Server
in query expression
Npgsql.
valid MySQL result
supplied argument is not a valid PostgreSQL result
db2_
Ingres SQLSTATE
Column count doesn't match
Warning
[Microsoft][ODBC Microsoft Access Driver]
[Macromedia][SQLServer JDBC Driver]
<b>Warning</b>: ibase_
Roadhouse.Cms.
DB2 SQL error:

236
confs/owasp-crs/sql-function-names.data Normal file
View File

@ -0,0 +1,236 @@
abs
acos
adddate
addtime
aes_decrypt
aes_encrypt
ascii
asciistr
asin
atan
atan2
avg
benchmark
bin
bin_to_num
bit_and
bit_count
bit_length
bit_or
bit_xor
cast
ciel
cieling
char_length
char
character_length
charset
chr
coalesce
coercibility
collation
compress
concat_ws
concat
connection_id
conv
convert_tz
convert
cos
cot
count
dcount
cr32
curdate
current_date
current_time
current_timestamp
current_user
curtime
database
date
date_add
date_format
date_sub
datediff
day
dayname
dayofmonth
dayofweek
dayofyear
decode
default
degrees
des_decrypt
des_encrypt
dump
elt
encode
encrypt
exp
export_set
extract
extractvalue
field
field_in_set
find_in_set
floor
format
found_rows
from_base64
from_days
from_unixtime
get_format
get_lock
greatest
group_concat
hex
hextoraw
rawtohex
hour
if
ifnull
in
inet6_aton
inet6_ntoa
inet_aton
inet_ntoa
insert
instr
interval
isnull
is_free_lock
is_ipv4_compat
is_ipv4_mapped
is_ipv4
is_ipv6
is_not_null
is_not
is_null
is_used_lock
last
last_day
last_inser_id
lcase
least
left
length
ln
load_file
local
localtimestamp
locate
log
log2
log10
lower
lpad
ltrim
make_set
makedate
master_pos_wait
max
md5
microsecond
mid
min
minute
mod
month
monthname
name_const
not_in
now
nullif
oct
octet_length
old_password
ord
password
period_add
period_diff
pi
position
pow
power
procedure_analyse
quarter
quote
radians
rand
release_lock
repeat
replace
reverse
right
round
row_count
rpad
rtrim
schema
sec_to_time
second
session_user
sha
sha1
sha2
sign
sin
pg_sleep
sleep
soundex
space
sqrt
std
stddev_pop
stddev_samp
str_to_date
strcmp
subdate
substring
substring_index
substr
subtime
sum
sysdate
system_user
tan
time
timestamp
timestampadd
timestampdiff
timediff
time_format
time_to_sec
to_base64
todays
toseconds
tochar
tonchar
trim
truncate
ucase
uncompress
uncompressed_length
unhex
unix_timestamp
updatexml
upper
user
utc_date
utc_time
utc_timestamp
uuid
uuid_short
values
var_pop
var_samp
variance
version
week
weekday
weekofyear
weight_string
year
yearweek
xmltype

78
confs/owasp-crs/unix-shell.data Normal file
View File

@ -0,0 +1,78 @@
bin/bash
bin/cat
bin/csh
bin/dash
bin/du
bin/echo
bin/grep
bin/less
bin/ls
bin/more
bin/nc
bin/ps
bin/rbash
bin/sh
bin/sleep
bin/su
bin/tcsh
bin/uname
dev/fd/
dev/null
dev/stderr
dev/stdin
dev/stdout
dev/tcp/
dev/udp/
dev/zero
etc/group
etc/master.passwd
etc/passwd
etc/pwd.db
etc/shadow
etc/shells
etc/spwd.db
proc/self/
usr/bin/cc
usr/bin/clang
usr/bin/clang++
usr/bin/curl
usr/bin/diff
usr/bin/env
usr/bin/fetch
usr/bin/file
usr/bin/find
usr/bin/ftp
usr/bin/gcc
usr/bin/head
usr/bin/id
usr/bin/less
usr/bin/more
usr/bin/nc
usr/bin/nice
usr/bin/nmap
usr/bin/perl
usr/bin/php
usr/bin/php5
usr/bin/php7
usr/bin/python
usr/bin/python2
usr/bin/python3
usr/bin/ruby
usr/bin/tail
usr/bin/top
usr/bin/uname
usr/bin/wget
usr/bin/who
usr/bin/whoami
usr/bin/xargs
usr/local/bin/bash
usr/local/bin/curl
usr/local/bin/nmap
usr/local/bin/perl
usr/local/bin/php
usr/local/bin/python
usr/local/bin/python2
usr/local/bin/python3
usr/local/bin/rbash
usr/local/bin/ruby
usr/local/bin/wget

253
confs/owasp-crs/windows-powershell-commands.data Normal file
View File

@ -0,0 +1,253 @@
powershell.exe
Add-BitsFile
Add-Computer
Add-Content
Add-History
Add-Member
Add-PSSnapin
Add-Type
Checkpoint-Computer
Clear-Content
Clear-EventLog
Clear-History
Clear-Item
Clear-ItemProperty
Clear-Variable
Compare-Object
Complete-BitsTransfer
Complete-Transaction
Connect-WSMan
ConvertFrom-CSV
ConvertFrom-SecureString
ConvertFrom-StringData
Convert-Path
ConvertTo-CSV
ConvertTo-Html
ConvertTo-SecureString
ConvertTo-XML
Copy-Item
Copy-ItemProperty
Debug-Process
Disable-ComputerRestore
Disable-PSBreakpoint
Disable-PSSessionConfiguration
Disable-WSManCredSSP
Disconnect-WSMan
Enable-ComputerRestore
Enable-PSBreakpoint
Enable-PSRemoting
Enable-PSSessionConfiguration
Enable-WSManCredSSP
Enter-PSSession
Exit-PSSession
Export-Alias
Export-Clixml
Export-Console
Export-Counter
Export-CSV
Export-FormatData
Export-ModuleMember
Export-PSSession
ForEach-Object
Format-Custom
Format-List
Format-Table
Format-Wide
Get-Acl
Get-Alias
Get-AppLockerFileInformation
Get-AppLockerPolicy
Get-AuthenticodeSignature
Get-BitsTransfer
Get-ChildItem
Get-Command
Get-ComputerRestorePoint
Get-Content
Get-Counter
Get-Credential
Get-Culture
Get-Event
Get-EventLog
Get-EventSubscriber
Get-ExecutionPolicy
Get-FormatData
Get-History
Get-Host
Get-HotFix
Get-Item
Get-ItemProperty
Get-Job
Get-Location
Get-Member
Get-Module
Get-PfxCertificate
Get-Process
Get-PSBreakpoint
Get-PSCallStack
Get-PSDrive
Get-PSProvider
Get-PSSession
Get-PSSessionConfiguration
Get-PSSnapin
Get-Random
Get-Service
Get-TraceSource
Get-Transaction
Get-TroubleshootingPack
Get-UICulture
Get-Unique
Get-Variable
Get-WinEvent
Get-WmiObject
Get-WSManCredSSP
Get-WSManInstance
Group-Object
Import-Alias
Import-Clixml
Import-Counter
Import-CSV
Import-LocalizedData
Import-Module
Import-PSSession
Invoke-Command
Invoke-Expression
Invoke-History
Invoke-Item
Invoke-TroubleshootingPack
Invoke-WmiMethod
Invoke-WSManAction
Join-Path
Limit-EventLog
Measure-Command
Measure-Object
Move-Item
Move-ItemProperty
New-Alias
New-AppLockerPolicy
New-Event
New-EventLog
New-Item
New-ItemProperty
New-Module
New-ModuleManifest
New-Object
New-PSDrive
New-PSSession
New-PSSessionOption
New-Service
New-TimeSpan
New-Variable
New-WebServiceProxy
New-WSManInstance
New-WSManSessionOption
Out-Default
Out-File
Out-GridView
Out-Host
Out-Null
Out-Printer
Out-String
Pop-Location
Push-Location
Read-Host
Receive-Job
Register-EngineEvent
Register-ObjectEvent
Register-PSSessionConfiguration
Register-WmiEvent
Remove-BitsTransfer
Remove-Computer
Remove-Event
Remove-EventLog
Remove-Item
Remove-ItemProperty
Remove-Job
Remove-Module
Remove-PSBreakpoint
Remove-PSDrive
Remove-PSSession
Remove-PSSnapin
Remove-Variable
Remove-WmiObject
Remove-WSManInstance
Rename-Item
Rename-ItemProperty
Reset-ComputerMachinePassword
Resolve-Path
Restart-Computer
Restart-Service
Restore-Computer
Resume-BitsTransfer
Resume-Service
Select-Object
Select-String
Select-XML
Send-MailMessage
Set-Acl
Set-Alias
Set-AppLockerPolicy
Set-AuthenticodeSignature
Set-BitsTransfer
Set-Content
Set-Date
Set-ExecutionPolicy
Set-Item
Set-ItemProperty
Set-Location
Set-PSBreakpoint
Set-PSDebug
Set-PSSessionConfiguration
Set-Service
Set-StrictMode
Set-TraceSource
Set-Variable
Set-WmiInstance
Set-WSManInstance
Set-WSManQuickConfig
Show-EventLog
Sort-Object
Split-Path
Start-BitsTransfer
Start-Job
Start-Process
Start-Service
Start-Sleep
Start-Transaction
Start-Transcript
Stop-Computer
Stop-Job
Stop-Process
Stop-Service
Stop-Transcript
Suspend-BitsTransfer
Suspend-Service
Tee-Object
Test-AppLockerPolicy
Test-ComputerSecureChannel
Test-Connection
Test-ModuleManifest
Test-Path
Test-WSMan
Trace-Command
Undo-Transaction
Unregister-Event
Unregister-PSSessionConfiguration
Update-FormatData
Update-List
Update-TypeData
Use-Transaction
Wait-Event
Wait-Job
Wait-Process
Where-Object
Write-Debug
Write-Error
Write-EventLog
Write-Host
Write-Output
Write-Progress
Write-Verbose
Write-Warning
-EncodedCommand
-ExecutionPolicy
-PSConsoleFile

5
confs/php.conf Normal file
View File

@ -0,0 +1,5 @@
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}

1950
confs/php.ini Normal file
View File

File diff suppressed because it is too large Load Diff

1
confs/referrer-policy.conf Normal file
View File

@ -0,0 +1 @@
more_set_headers "Referrer-Policy: %REFERRER_POLICY%";

26
confs/server.conf Normal file
View File

@ -0,0 +1,26 @@
server {
%LISTEN_HTTP%
%AUTO_LETS_ENCRYPT%
server_name %SERVER_NAME%;
root /www;
index index.html index.php;
location / {
try_files $uri $uri/ =404;
%BLOCK_TOR_EXIT_NODE%
}
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
{
return 405;
}
%USE_PHP%
%HEADER_SERVER%
%X_FRAME_OPTIONS%
%X_XSS_PROTECTION%
%X_CONTENT_TYPE_OPTIONS%
# TODO : CSP
%REFERRER_POLICY%
%FEATURE_POLICY%
%BLOCK_COUNTRY%
%BLOCK_USER_AGENT%
%ERRORS%
}

1
confs/x-content-type-options.conf Normal file
View File

@ -0,0 +1 @@
more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";

1
confs/x-frame-options.conf Normal file
View File

@ -0,0 +1 @@
more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";

1
confs/x-xss-protection.conf Normal file
View File

@ -0,0 +1 @@
more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";

229
entrypoint.sh Normal file
View File

@ -0,0 +1,229 @@
#!/bin/sh
# replace pattern in file
function replace_in_file() {
# escape slashes
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
replace=$(echo "$3" | sed "s/\//\\\\\//g")
sed -i "s/$pattern/$replace/g" "$1"
}
# copy stub confs
cp /opt/confs/*.conf /etc/nginx
cp -r /opt/confs/owasp-crs /etc/nginx
cp /opt/confs/php.ini /etc/php7/php.ini
# remove cron jobs
echo "" > /etc/crontabs/root
# set default values
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE:-10m}"
SERVER_TOKENS="${SERVER_TOKENS:-off}"
CACHE="${CACHE:-max=1000 inactive=60s}"
CACHE_ERRORS="${CACHE_ERRORS:-on}"
CACHE_USES="${CACHE_USES:-1}"
CACHE_VALID="${CACHE_VALID:-60s}"
#CLIENT_CACHE="${CLIENT_CACHE}:-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}:-1d}"
#CLIENT_CACHE_CONTROL=
USE_GZIP="${USE_GZIP:-off}"
GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL:-6}"
GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH:-10240}"
GZIP_TYPES="${GZIP_TYPES:-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
USE_PHP="${USE_PHP:-yes}"
HEADER_SERVER="${HEADER_SERVER:-no}"
X_FRAME_OPTIONS="${X_FRAME_OPTIONS:-DENY}"
X_XSS_PROTECTION="${X_XSS_PROTECTION:-1; mode=block}"
X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS:-nosniff}"
REFERRER_POLICY="${REFERRER_POLICY:-no-referrer}"
FEATURE_POLICY="${FEATURE_POLICY:-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER:-no}"
SERVER_NAME="${SERVER_NAME:-www.bunkerity.io}"
ALLOWED_METHODS="${ALLOWED_METHODS:-GET|POST|HEAD}"
BLOCK_COUNTRY="${BLOCK_COUNTRY:-}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT:-yes}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT:-no}"
HTTP2="${HTTP2:-yes}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"
PHP_EXPOSE="${PHP_EXPOSE:-no}"
PHP_DISPLAY_ERRORS="${PHP_DISPLAY_ERRORS:-no}"
PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/}"
PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN:-no}"
PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE:-no}"
PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS:-yes}"
PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}"
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
USE_MODSECURITY="${USE_MODSECURITY:-yes}"
# replace values
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
if [ "$USE_PHP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
if [ "$PHP_EXPOSE" = "yes" ] ; then
replace_in_file "/etc/php7/php.ini" "%PHP_EXPOSE%" "On"
else
replace_in_file "/etc/php7/php.ini" "%PHP_EXPOSE%" "Off"
fi
if [ "$PHP_DISPLAY_ERRORS" = "yes" ] ; then
replace_in_file "/etc/php7/php.ini" "%PHP_DISPLAY_ERRORS%" "On"
else
replace_in_file "/etc/php7/php.ini" "%PHP_DISPLAY_ERRORS%" "Off"
fi
replace_in_file "/etc/php7/php.ini" "%PHP_OPEN_BASEDIR%" "$PHP_OPEN_BASEDIR"
if [ "$PHP_ALLOW_URL_FOPEN" = "yes" ] ; then
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_FOPEN%" "On"
else
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_FOPEN%" "Off"
fi
if [ "$PHP_ALLOW_URL_INCLUDE" = "yes" ] ; then
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_INCLUDE%" "On"
else
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_INCLUDE%" "Off"
fi
if [ "$PHP_FILE_UPLOADS" = "yes" ] ; then
replace_in_file "/etc/php7/php.ini" "%PHP_FILE_UPLOADS%" "On"
else
replace_in_file "/etc/php7/php.ini" "%PHP_FILE_UPLOADS%" "Off"
fi
replace_in_file "/etc/php7/php.ini" "%PHP_UPLOAD_MAX_FILESIZE%" "$PHP_UPLOAD_MAX_FILESIZE"
replace_in_file "/etc/php7/php.ini" "%PHP_DISABLE_FUNCTIONS%" "$PHP_DISABLE_FUNCTIONS"
else
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
fi
if [ "$HEADER_SERVER" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" ""
else
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
fi
if [ "$X_FRAME_OPTIONS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;"
replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
else
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" ""
fi
if [ "$X_XSS_PROTECTION" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;"
replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
else
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" ""
fi
if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;"
replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
else
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
fi
if [ "$REFERRER_POLICY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;"
replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
else
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" ""
fi
if [ "$FEATURE_POLICY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;"
replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
else
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" ""
fi
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;"
else
replace_in_file "/etc/nginx/nginx.conf" "%DISABLE_DEFAULT_SERVER%" ""
fi
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
if [ ! -f /etc/nginx/geoip.mmdb ] ; then
/opt/scripts/geolite.sh
fi
if [ "$BLOCK_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
echo "0 0 * * * /opt/scripts/geolite.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
fi
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
/opt/scripts/user-agents.sh
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
fi
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
/opt/scripts/exit-nodes.sh
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "include /etc/nginx/auto-lets-encrypt.conf;"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" "http2"
else
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" ""
fi
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%SERVER_NAME%" "$SERVER_NAME"
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
if [ -f /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem ] ; then
/opt/scripts/certbot-renew.sh
else
certbot certonly --standalone -n --preferred-challenges http -d $SERVER_NAME --email contact@$SERVER_NAME --agree-tos
fi
else
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
fi
if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
fi
ERRORS=""
for var in $(env) ; do
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
if [ "z${var_name}" = "zERROR" ] ; then
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
err_page=$(echo "$var" | cut -d '=' -f 2)
cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
fi
done
if [ "$ERRORS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS"
else
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" ""
fi
# start PHP
if [ "$USE_PHP" = "yes" ] ; then
php-fpm7
fi
# start crond
crond
# start nginx in foreground
# when nginx is killed, container get killed too
exec /usr/sbin/nginx

7
scripts/certbot-renew.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
certbot renew
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi

11
scripts/exit-nodes.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/sh
BLACKLIST=$(curl "https://iplists.firehol.org/files/tor_exits.ipset")
DATA=""
for ip in $BLACKLIST ; do
DATA="${DATA}deny ${ip};\n"
done
echo $DATA > /etc/nginx/block-tor-exit-node.conf
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi

7
scripts/geolite.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
gunzip -f /etc/nginx/geoip.mmdb.gz
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi

22
scripts/user-agents.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
# replace pattern in file
function replace_in_file() {
# escape slashes
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
replace=$(echo "$3" | sed "s/\//\\\\\//g")
replace=$(echo "$replace" | sed "s/\\ /\\\\ /g")
sed -i "s/$pattern/$replace/g" "$1"
}
BLACKLIST="$(curl https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list)"
DATA=""
IFS=$'\n'
for ua in $BLACKLIST ; do
DATA="${DATA}~*(?:\b)${ua}\(?:\b) yes;\n"
done
cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf
replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA"
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi

1
www/403.html Normal file
View File

@ -0,0 +1 @@
test 403

1
www/404.html Normal file
View File

@ -0,0 +1 @@
test 404

5
www/index.php Normal file
View File

@ -0,0 +1,5 @@
<?php
echo "Bunkerity FTW !";
?>