D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
self
/
root
/
opt
/
bitninja-waf
/
etc
/
crs
/
rules
/
Filename :
REQUEST-941-APPLICATION-ATTACK-XSS.conf
back
Copy
# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:941011,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:941012,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # # -=[ Libinjection - XSS Detection ]=- # # Ref: https://libinjection.client9.com/ # Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss # # -=[ Targets ]=- # # 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| # REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| # ARGS_NAMES|ARGS|XML:/* # # 941101: PL2 : REQUEST_HEADERS:Referer # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ "msg:'XSS Attack Detected via libinjection',\ id:941100,\ phase:request,\ severity:'CRITICAL',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'9',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 1 ]=- # http://xssplayground.net23.net/xssfilter.html # script tag based XSS vectors, e.g., <script> alert(1)</script> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)([<<]script[^>>]*[>>][\s\S]*?)" \ "msg:'XSS Filter - Category 1: Script Tag Vector',\ id:941110,\ phase:request,\ severity:'CRITICAL',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'4',\ accuracy:'9',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 2 ]=- # XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)"> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)([\s\"'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=)" \ "msg:'XSS Filter - Category 2: Event Handler Vector',\ id:941120,\ phase:request,\ severity:'CRITICAL',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'4',\ accuracy:'8',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 3 ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \ "msg:'XSS Filter - Category 3: Attribute Vector',\ id:941130,\ phase:request,\ severity:'CRITICAL',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 4 ]=- # XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))"> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \ "msg:'XSS Filter - Category 4: Javascript URI Vector',\ id:941140,\ severity:'CRITICAL',\ phase:request,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ NoScript XSS Filters ]=- # Ref: http://noscript.net/ # # [NoScript InjectionChecker] HTML injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \ "msg:'NoScript XSS InjectionChecker: HTML Injection',\ id:941160,\ severity:'CRITICAL',\ phase:request,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # [NoScript InjectionChecker] Attributes injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \ "msg:'NoScript XSS InjectionChecker: Attribute Injection',\ id:941170,\ severity:'CRITICAL',\ phase:request,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # [Blacklist Keywords from Node-Validator] # https://raw.github.com/chriso/node-validator/master/validator.js # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \ "msg:'Node-Validator Blacklist Keywords',\ id:941180,\ severity:'CRITICAL',\ phase:request,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters from IE ]=- # Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx # Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941190,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941200,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941210,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941220,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<EMBED[\s/+].*?((src)|(type)).*?=)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941230,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941240,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941250,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<META[\s/+].*?charset[\s/+]*=)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941260,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<LINK[\s/+].*?href[\s/+]*=)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941270,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<BASE[\s/+].*?href[\s/+]*=)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941280,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<APPLET[\s/+>])" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941290,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<OBJECT[\s/+].*?((type)|(codetype)|(classid)|(code)|(data))[\s/+]*=)" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941300,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet # US-ASCII encoding bypass listed on XSS filter evasion # Reported by Mazin Ahmed # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'7',\ accuracy:'8',\ id:941310,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ block,\ ctl:auditLogParts=+E,\ msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-tomcat',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # http://openmya.hacker.jp/hasegawa/security/utf7cs.html # UTF-7 encoding XSS filter evasion for IE. # Reported by Vladimir Ivanov # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \ "phase:request,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'7',\ accuracy:'8',\ id:941350,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ block,\ ctl:auditLogParts=+E,\ msg:'UTF-7 Encoding IE XSS - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-internet-explorer',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecMarker END_XSS_CHECKS SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:941013,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:941014,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # # # This is a stricter sibling of rule 941100. # SecRule REQUEST_HEADERS:Referer "@detectXSS" \ "msg:'XSS Attack Detected via libinjection',\ id:941101,\ phase:request,\ severity:'CRITICAL',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'9',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 5 ]=- # HTML attribues - src, style and href # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \ "msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\ id:941150,\ phase:request,\ severity:'CRITICAL',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ block,\ ctl:auditLogParts=+E,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # Detect tags that are the most common direct HTML injection points. # # <a href=javascript:... # <applet src="..." type=text/html> # <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html> # <base href=javascript:... # <base href=... // change base URL to something else to exploit relative filename inclusion # <bgsound src=javascript:... # <body background=javascript:... # <body onload=... # <embed src=http://www.example.com/flash.swf allowScriptAccess=always # <embed src="data:image/svg+xml; # <frameset><frame src="javascript:..."></frameset> # <iframe src=javascript:... # <img src=x onerror=... # <input type=image src=javascript:... # <layer src=... # <link href="javascript:..." rel="stylesheet" type="text/css" # <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css" # <meta http-equiv="refresh" content="0;url=javascript:..." # <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion # <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css"> # <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE"> # <object data=http://www.example.com # <object type=text/x-scriptlet data=... # <object type=application/x-shockwave-flash data=xss.swf> # <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified # <script>...</script> # <script src=http://www.example.com/xss.js></script> - TODO add another rule for this # <script src="data:text/javascript,alert(1)"></script> # <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script> # <style>STYLE</style> # <style type=text/css>STYLE</style> # <style type=text/javascript>alert('xss')</style> # <table background=javascript:... # <td background=javascript: # # # NOTES # # - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping # # - Not using closing brackets because they are not needed for the # attacks to succeed. The following seems to work in FF: <body/s/onload=... # # - Also, browsers sometimes tend to translate < into >, in order to "repair" # what they think was a mistake made by the programmer/template designer. # # - Browsers are flexible when it comes to what they accept as separator between # tag names and attributes. The following is commonly used in payloads: <img/src=... # A better example: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=alert("XSS")> # # - Grave accents are sometimes used as an evasion technique (as a replacement for quotes), # but I don't believe we need to look for quotes anywhere. # # - Links do not have to be fully qualified. For example, the following works: # <script src="//ha.ckers.org/.j"> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941320,\ severity:'CRITICAL',\ capture,\ t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\ block,\ msg:'Possible XSS Attack Detected - HTML Tag Handler',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A2',\ tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941330,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\ block,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A2',\ tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).+?[.].+?=)" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:941340,\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\ block,\ msg:'IE XSS Filters - Attack Detected.',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A2',\ tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:941015,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:941016,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:941017,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:941018,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-941-APPLICATION-ATTACK-XSS"