ModSecurity rules testing

15 October 2018 13:33:09

Host with WAF https://127.0.0.1:4343
Files checked ../../owasp-modsecurity-crs/crs-setup.conf.example
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
../../owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
../../owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
../../owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
../../owasp-modsecurity-crs/util/regression-tests/__init__.py
../../owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Rules check failed 63
Response code 200 72
Response code 400 3
Response code 403 21
Response code 404 1
Pattern for rule 932150 is not blocked (status code 400)
ModSecurity Rule ID
932150
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
= 	

	



	 
	 
	


$!		 	  

	

				 

 	 		
 
	 

	
 
	
	 
  	

	


{fHEQ3sQAb_ENNkzaZmlkFfb6ZjpgpVmT3Zpz1Df3YI6dERzSldBuMMYj5YFHRSq4Hs4u97b6PdpeAW=$kn.7E}K.pU8C0	vm?cZiaF,#&H(HXo3TQ+qXye#R,_~muNL{:LG0>0I4DLVkkfB#)hn{$//[email protected]$t5D
 		

		

  		
	

{ 	 	 


 	 




  


	  


 




 
 	

	 	
	
  	(


	 			 
 
   
 

	 

	
 

 	 

	
	


 
 		 



 
 	
	
 
 Yp0n3i1JNfUu6o1Irk2F7K5ykXnNo6wxGAmBNJwTWXZnWLXAM=gPh?oMWmk.)@]!(h%UNy\Vy%|'M




		 


 
	
 


 
 
 		HvEb95koBXTfRz1a16y3sBaXDBrv=>1;Pt4:&WTxEM
x
H:|e{L`(Bp!vWAhV+}mGa]'^ozX.I;}$rtm
wvBZj6G]L2N43.K=5a=Ss"(tA\V1!+ #


		
 
	
	 
		
  
	

	
 
	

 	  	
 	



 	
 


	

 {H1n7tEv_CvL5XakA602SugqT_QKwpalbC_R6a2AUuoHDdvifou0I1EJqoB5KvguTHJ1hCvw8ELTRWbcau=$G|T>N|KB%Z^FvG g<>p$jwxk]$Z: iy7Jc;e	 
		 	
 
	




  	

(
	
		


		
 

 		 
	
 	
  

 	

$!	
		
  

		
 
w7MWhDlfkR2rPE94ZigXNuD9MS4VbBP26m59cHkG58qla0WW2MIAWxLimxmHqur46l4xtlCzymT=$>:B=%-xYftZwuk{X{i{u\U?u1`4DPUZP`xj)^)W=q+Tk_]L]I$-w\H> :^[*O]F4@Q\B{h_E
e^mVVX*1 
	

				
 



	
	
			

	

		  	

	

 		 


 
	




$
		      
	 
	

	
 	   
	


	 
	 
 


	 
	 	 (
	 
			!
		



	l57xxMzFU_5EqYOJXKOH0mtIOdkZKUzZkLkn_fO5WxBafTnHx5EByp21jP5WHaJ7umN7IykY2Cz41zKpep8NAI40p3TMYBP=#^VB8BV;@$)XP3BW(~>a`4<J-r]p^j1Wd9|%pWXDfsn-X201KJiQ
		
 


 
 

	 
  
 	 	 
	



	
    
 	  	
 	


		
 	



	
( 



		


 



 

 		

 	
	
	 

  

 
 ${{!	
	


 
 

 	  
	
{{!		

  

	


 

 	


		
	


 

  
		
		

 	
	

  



	   	
  

 
	 
	
	

 	
 

	   	


	

	 


 

	
	 
	
 (	


	
	 
 
 






 

 
 	 

				

	
 	

 

		
  	 
 
	
 
 

	  	


	 
(

		
	

 
  	 

 	
	



	

(	

	
	


 
 	
	   

		

  	 
 	

  
 

 	  	
	 		 
	  

!	
	
  
	 


	!
!OSXcUs847iGMZc2AqfscU5kA7P=$LRMrGamel}ApoHx8].UG&J8B`hcco%&kd-Bw	

	
	 
 
		
  
 {$kahQxnZIrrkVK8rLOxsvI_hCGMjW93ZvA=$aHk+%T/H,6,{x'yg'{:j)eO"gbX3P9,+6j:	\KB+}B#.CwK4(&-"t%MV0Gy:kA }"THj|#o  
	VNw5IPhzDI7hrMl9niB1dg2hy9IG0F2zHSYS2o1F8emGJqgpU4ADctvyozvD14ffZbcAnxQ1Dh=>CMWg{`^t:[email protected]



	



 	
 	 



 	vJRzET2OczdbdZhmbbIPzRab76fjeR6F2_hNSm6z4KHSbhbNicRXEnVxlwgMTVMyDF3kWBi2sbp=>U`NCb_PS4 }nW(bMU=pU5"G:}`hM<YvV>`uZ|jo>rHlV
J4}R5LK[`.A2BwVqbb+6DGR,yX*&0_Z*~cJ6F/ ~_>e[email protected] 
	


${!



	
	
	
	



 
	 

 
 
	 
 


 
	  
	
		
 
	
!
!	  	 

 

 

	


 	 
	 
 	

	 
		 
 
 			{!

	 	

	


	
		

  
	 
	

	   	
  
 


 $	
  
 	


 


 					
   	 	 
		

     	 	 		

  
 
     ( 
		

	
	
 		 	
	 
		    
 	

 


  	 				  

	
 


	 
ALH480CtOX3sPn_Tz6DYi7P684DysfueG_v3LcnkW_d8P3b3gi0a7QQUIUkMYklYIFpQ_F6l6RClo4z5ULzWpenfgV=>


 
 
  

	 


	

	

  
 	

 	 


		
 
	 
	
		
	



	
	
 
	

{! 		





 

 	
 
	





	( 


 	


	
	 	





	
	



		{! 	  
 	 		
		
 
   
  



		
 
 	
  
 


  

	

	

	
 
 

	

		



	  
	
 

 	
(  
	

  
  

	
	
	 

	


	
 $


	
		
	
 
 	
 
  

	




	  		
		 			


  (	 

		
	
 
 	 

	
	
  
  



 
	 

		

	  	 


 
	 	
 
  s4oqfYRbuc2j5xvh9qViDIB9VSKGuysf=$jB1^wEhd63fAp40d$aoLA|skKD)fG&K(|sag=FlcP2/aH\a!KoTYs
  	 

	 

	



	



  
 	 _9uk4_csIKbAS3pOGzY1lokLg0frOlLL866n0krzhYAyfdhQr5vwX5PvqnFTzlpBtrqILu66G17VqOa0Le9Iy52D=$|$5}odV}q[[email protected]e-iGb	}V#xW#5~pwA<h;K'M.=9HnZpC{pV[Q/[email protected]#W~S_}@ $n`	LgN,MfM 
 	


	
	
  	
 


  
	

		 
{ 
 
		




 
	 

		 
	  

	

	  

 


	
	
	 	




	
	



"""""""''"''''""""'""''tlTqyA7HNIg-\/NeuVcHr[)0w/C4+kvob*"a8WDEQ7\y6wcfl1-LN/\"""\\\\"\""'\\\""\\\\\\\\\\'"\"\\\"'\\'\\\p\\"'\'\''''\\\\'"\\\\\\\\\\\\"\'\\\'\""'\\'\"'"\\""\\'\''"\'\"\\\\\"\''"""\\''\'\""\\\"''\""''"r"\''"\\\""\\'\""\'\\"\\\\\''\"\'\'i\\\\\"''"\''""\\"""'\"\\'\\\\"\\\"'\\\''"\\\\\'"\''\''\""n\\"'\\'\\t\""\"\\\\\""\\\\\'\""'\'\''"\'\\''"''\\"""'\'''e"\''\\'\\'\"\""\\\'"'\\""\'"'\""\\\\"'''\\"\\'''\\\'\\\n\\\'"\\\'\'\\'\"'\"\"\\\\""\\\\\\"\'''"\"\\\\'\\\'\\\\\\\\\"\'\"v'""\\"\"\'\\\\\'"\\\\\'\''\\\"\\\'\'''"\''\""\\\""'\'\\\""""\\'"\\\'''\\\\"<
Request sent to WAF
GET /?test=%3D%0C%0C+%09%0D%0B%0D%09%0D%0D%0B%0B%0C%0B%0C%0D%0D%0A%09+%0D%0C%09+%0B%0A%09%0A%0B%0C%0A%0D%0A%24%21%09%0B%09+%0C%0B%09+%0C+%0D%0C%0A%09%0A%0D%09%09%09%09%0C%0B%0B+%0A%0B%0D+%0C%09+%0C%09%0C%09%0D+%0B%0D%09+%0D%0B%0B%0A%09%0D+%0D%0A%0B%09%0A%0C%09%0B+%0A%0C++%09%0A%0B%0C%0C%0A%09%0A%0A%0A%7BfHEQ3sQAb_ENNkzaZmlkFfb6ZjpgpVmT3Zpz1Df3YI6dERzSldBuMMYj5YFHRSq4Hs4u97b6PdpeAW%3D%24kn.7E%7DK.pU8C0%09vm%3FcZiaF%2C%23%26H%28HXo3TQ%2BqXye%23R%2C_~muNL%7B%3ALG0%3E0I4DLVkkfB%23%29hn%7B%24%2F%2F1lK%40%24t5D%0C%0D+%09%09%0B%0A%0D%0C%0B%09%09%0A%0D+%0B%0C+%0C%09%09%0A%0C%0C%09%0A%0A%7B%0C+%09+%09+%0D%0D%0D%0C+%09+%0D%0D%0B%0A%0A%0D+%0B+%0A%0A%0D%09++%0B%0B%0D%0D%0D%0A+%0A%0A%0A%0A%0D%0C%0B+%0B%0A+%09%0A%0D%09+%0C%0C%0B%0B%0C%0C%09%0A%09%0D++%09%0C%28%0A%0D%0C%0C%0C%0A%0C%0B%0C%0C%09+%09%0B%09%0C%09+%0A%0B+%0C%0A++%0C+%0C%0B%0C%0D+%0C%0A%0C%0C%0C%0C%0A%0C%09+%0D%0D%0B%0B%0C%09%0A+%0A%0A%0B%0B+%09+%0A%0B%0D%09%0C%0D%0A%0C%09%0A%0A%0D+%0B%0A+%09%09+%0A%0A%0C%0D%0D+%0A+%09%0B%0D%0A%09%0A%0B%0C+%0A+Yp0n3i1JNfUu6o1Irk2F7K5ykXnNo6wxGAmBNJwTWXZnWLXAM%3DgPh%3FoMWmk.%29%40%5D%21%28h%25UNy%5CVy%25%7C%27M%0B%0D%0A%0A%0D%0A%0B%0D%0C%0C%0A%09%09%0C%0C+%0A%0C%0D%0C%0B%0A%0C+%0C%0A%09%0D%0C%0C+%0D%0A%0A%0D+%0D%0A+%0B%0A%0B%0B+%09%09%0B%0BHvEb95koBXTfRz1a16y3sBaXDBrv%3D%3E1%3BPt4%3A%26WTxEM%0Dx%0DH%3A%7Ce%0C%7BL%60%28Bp%21vWAhV%2B%7DmGa%5D%27%5EozX.I%3B%7D%24rtm%0Dwv%0BBZj6G%5DL2N43.K%3D5a%3DSs%22%28tA%5CV1%21%2B+%23%0A%0A%0B%0D%09%0B%09%0A%0C+%0A%09%0A%09+%0B%0B%0D%0A%09%09%0B%0A++%0A%09%0D%0A%0D%09%0C%0D%0B%0C+%0D%09%0D%0A%0C%0B%0D+%09%0B+%0B+%0B%0C%09%0D%0C+%09%0A%0B%0A%0A%0D+%09%0D+%0B%0A%0A%0D%09%0D%0C%0A%0B%0C%0C+%7BH1n7tEv_CvL5XakA602SugqT_QKwpalbC_R6a2AUuoHDdvifou0I1EJqoB5KvguTHJ1hCvw8ELTRWbcau%3D%24G%7CT%3EN%7CKB%25Z%5EFv%0CG+g%3C%3Ep%24jwxk%5D%24Z%3A+iy7Jc%3Be%0C%0C%09%0C+%0D%09%09+%0B%0C%09%0B%0D+%0B%0A%0B%09%0A%0D%0B%0C%0B%0D%0D%0D++%09%0A%0A%0B%28%0A%09%0D%0A%09%09%0C%0D%0A%0C%0A%0B%0D%09%09%0D+%0D%0B%0D+%09%09+%0B%0D%0B%0C%09%0C%0D%0B+%09%0B%0C%0C%0D+%0B+%0A%0D%0B+%09%0A%0D%0A%0C%24%21%0C%0B%09%0C%0C%0D%09%0B%09%0A%0C++%0A%0B%0D%0A%09%09%0B%0C%0D+%0B%0Aw7MWhDlfkR2rPE94ZigXNuD9MS4VbBP26m59cHkG58qla0WW2MIAWxLimxmHqur46l4xtlCzymT%3D%24%3E%3AB%3D%25-xYftZwuk%7BX%7Bi%7Bu%5CU%3Fu1%604DPUZP%60xj%29%5E%29W%3Dq%2BTk_%5DL%5DI%24-w%5CH%3E+%3A%5E%5B%2AO%5DF4%0B%40Q%5CB%7Bh_%0CE%0De%5EmVVX%2A1%0C+%0C%0C%0D%0A%09%0D%0D%0C%09%09%09%09%0A%0C+%0D%0A%0A%0C%0B%0B%0D%0B%0C%0D%0B%09%0D%0A%09%0B%0C%0C%0A%09%09%09%0A%0B%0B%0D%09%0D%0C%0D%09%09++%0B%09%0C%0B%0D%0D%09%0C%0A%0A+%09%09+%0D%0D%0C%0C%0D%0B+%0D%0A%09%0D%0D%0D%0B%0C%0A%0A%0C%24%0A%0B%09%09+%0B+++%0C++%0D%09%0C+%0D%09%0B%0A%0C%0D%09%0D+%09+%0B%0C++%0D%0B%09%0B%0D%0D%0D%09+%0D%09+%0D+%0A%0D%0D%0B%0C%0C%0C%09+%0A%09%0C%0B+%09+%0C%28%0C%0B%0A%09%0C+%0A%09%09%0B%09%21%0C%0A%09%09%0A%0D%0C%0D%0B%0C%0A%09%0Bl57xxMzFU_5EqYOJXKOH0mtIOdkZKUzZkLkn_fO5WxBafTnHx5EByp21jP5WHaJ7umN7IykY2Cz41zKpep8NAI40p3TMYBP%3D%23%5EVB8BV%3B%40%24%29XP3BW%28~%3Ea%604%3CJ-r%5Dp%5Ej1Wd9%7C%25pWXDfsn-X201KJiQ%0B%0A%09%0C%0B%09%0D+%0A%0B%0A%0A+%0C%0A+%0B%0A%0B%0B%0D%09%0B+%0B%0B%0D%0B++%0A+%09+%0B%0C%09%0C+%0A%09%0D%0C%0B%0A%0D%0C%0C%0D%09%0A%0B++++%0A%0C%0C%0C%0B+%09%0B++%09%0A%0C+%09%0C%0A%0A%0D%09%09%0A+%09%0B%0C%0D%0C%0C%0C%0A%0A%0B%0B%0A%09%0B%0D%28+%0C%0C%0D%0C%0D%0C%0A%0D%0B%09%09%0B%0B%0C%0B%0A%0D%0D+%0C%0D%0B%0A%0B%0A%0D+%0B%0B%0D%0B%0D%0A%0B+%09%09%0B%0D%0C%0C%0A+%09%0D%09%0A%0C%09%0B+%0A%0C%0B%0C%0A%0B++%0D%0D+%0A+%0C%24%7B%7B%21%0C%0C%09%0A%09%0C%0D%0D%0D+%0D+%0A%0C%0D%0B+%09++%0A%09%0D%7B%7B%21%0B%09%0B%09%0D%0B%0A++%0A%0D%09%0A%0D%0D%0A%0C+%0A%0A%0C+%09%0C%0C%0B%0A%0A%0D%09%09%0C%0C%0D%0C%09%0A%0B%0B%0A%0D%0A+%0D%0D++%0D%0C%0B%0B%0C%09%0B%09%0B%0D%0B%09%09%0A%0C%0D+%0C%0B%0B%09%0A%09%0A%0D%0C++%0D%0D%0A%0A%0B%0A%0B%0B%0B%09+++%09%0D%0C+%0B%0B+%0A%0C%0D%0C%0B+%0B%0A%09+%0D%0A%09%0C%0D%09%0D%0D%0A+%09%0B%0D%0A+%0A%0A%0B%09+++%09%0A%0A%0D%09%0D%0D%0A%09%0C+%0A%0B%0A%0B%0C%0D%0C+%0D%0D%09%0D%0C%09%0B%0C%0B%0B%0C%0C+%0B%0A%09%0B%0A%0C%0B+%0B%28%0B%0C%0B%09%0B%0C%0A%0B%0A%0A%0C%0B%09%0A%0C%09+%0A%0B+%0B%0B%0A+%0C%0A%0B%0D%0D%0B%0B%0D%0B%0B%0D%0D%0D+%0A%0D%0B+%0A+%09%0B%0C+%0B%0D%0A%0B%0D%0C%09%09%0B%0C%09%09%0B%0C%0C%0A%0B%0D%09%0C%0C%0D+%09%0D%0C%0C%0A+%0A%0A%0B%09%09%0D++%09+%0A+%0D%0B%0C%09%0C%0A%0B+%0B%0B%0A+%0D%0C%0D%0C%0C%0B%09++%09%0A%0B%0D%0C%0A%09+%0A%0B%0B%0B%28%0D%0C%0A%09%0C%0C%09%0A%09%0B%0D%0D%0B%0B%0C+%0D++%09+%0D%0D%0B%0B+%09%0D%09%0A%0D%0D%0D%0C%09%0B%0D%0D%0B%0B%28%09%0D%0C%0C%0D%09%0C%0D%0B%0B%09%0C%0A%0D%0D%0B+%0B%0A+%0C%09%0A%09+%0C++%0A%0C%0B%0C%0D%09%09%0D%0D%0C+%0B+%09%0C+%0D%0B+%09%0D%0D%0B++%0B%0A+%0D%0B%0A+%09++%0C%0B%09%0A%09+%09%0B%09%0B+%0A%09%0B+%0B+%0A%0D%21%09%0B%0D%09%0D++%0B%0C%0D%0C%0C%09+%0B%0A%0A%0B%0D%0A%09%21%0A%21OSXcUs847iGMZc2AqfscU5kA7P%3D%24LRMrGamel%7DApoHx8%5D.UG%26J8B%60hcco%25%26kd-Bw%09%0A%0B%0D%09%0A%0B%09+%0A+%0A%09%09%0B%0A++%0A+%7B%24kahQxnZIrrkVK8rLOxsvI_hCGMjW93ZvA%3D%24aHk%2B%25T%2FH%2C6%2C%7Bx%27yg%27%7B%3Aj%29eO%22gbX3P9%2C%2B6j%3A%09%5CKB%2B%7DB%23.CwK4%28%26-%22t%25MV0Gy%3AkA+%7D%22THj%7C%23o++%0D%09VNw5IPhzDI7hrMl9niB1dg2hy9IG0F2zHSYS2o1F8emGJqgpU4ADctvyozvD14ffZbcAnxQ1Dh%3D%3ECMWg%7B%60%5Et%3Ao%40Z%0C%0D%0D%0D%0A%0A%09%0C%0A%0B%0A%0D%0D+%09%0D%0C+%09+%0D%0B%0C%0A%0C%0C%0A%0D+%09%0BvJRzET2OczdbdZhmbbIPzRab76fjeR6F2_hNSm6z4KHSbhbNicRXEnVxlwgMTVMyDF3kWBi2sbp%3D%3EU%60NCb_PS4+%7DnW%28bMU%3DpU5%22G%3A%7D%60hM%3CYvV%3E%60uZ%7Cjo%3ErHlV%0DJ4%0B%7DR5LK%5B%60.A2BwVqbb%2B6DGR%2C%0CyX%2A%260_Z%2A~cJ6F%2F+~_%3Ee%0CA.~G%40.%0C+%0D%09%0A%0B%0B%0D%0D%0C%24%7B%21%0D%0D%0D%0A%0A%0B%09%0D%09%0A%0B%09%0B%0A%0B%09%0B%0B%0D%0D%0A%0D%0B%0A+%0D%09+%0D%0D+%0B%0B%0A+%0C%0C%0A%09+%0B%0C%0B%0D%0C+%0D%0D%0C%0A+%0D%09%0B%0C++%0B%0A%09%0B%0C%0A%09%0B%09%0A+%0D%09%0C%0B%0D%21%0C%0D%0C%21%0C%0B%0C%09+%0C+%0B%0B%09+%0A%0D%0C%0B%0B+%0B%0C%0D%0A%0D+%0B%0A%0C%0A%09%0B%0B%0A%0A%0D+%0B%09+%0D%0A%09%0C%0C+%0D+%0C%09%0A%0A%0B%09+%0A%09%09+%0B%0B%0A+%0A+%0C%09%09%09%0C%7B%21%0B%0A%0B%0D%0A%0C%09+%0B%09%0D%0D%09%0D%0D%0D%0B%09%0A%0B%09%0B%09%0C%0D%0C%0A++%0D%0B%0C%09+%0D%09%0A%0D%0B%09+++%0B%09%0A++%0A%0C%0B+%0A%0D%0B%0C%0A+%24%09%0A+%0B+%0D+%09%0D%0D%0D%0A+%0B%0A%0B%0A%0B%0B%0D+%09%09%0B%09%09%09%0A+%0B+%0B+%09+%09+%0D%09%09%0A%0A+++%0B++%0B%09+%09+%0B%09%0C%09%0D%0A%0D%0A%0C+%0B%0B+%0C%0D+%0A++++%0B+%0C%28+%0D%09%09%0B%0D%0B%0C%0C%0D%09%0A%09%0D+%0B%09%0B%0B%09+%09%0B%0A%09+%0B%0A%09%09%0C+%0B+++%0A%0C%0C+%09%0A%0D+%0C%0B%0D%0D%0B%0A%0C+%0B%0B+%09+%09%0B%0B%09%09%09%0B++%0A%0D%0B%09%0D+%0A%0C%0A%0B%0D%09+%0D%0BALH480CtOX3sPn_Tz6DYi7P684DysfueG_v3LcnkW_d8P3b3gi0a7QQUIUkMYklYIFpQ_F6l6RClo4z5ULzWpenfgV%3D%3E%0C%0A%0B%0A%0D+%0B%0A%0B%0B%0C+%0D+%0B+%0B%0C%0A%0A%0C%09%0C%0B%0C+%0D%0B%0A%0A%09%0A%0A%09%0B%0D%0B%0D++%0D+%09%0C%0B%0B%0D%0C%0A%0B%0C%0B+%09+%0A%0A%0B%0B%0B%0D%09%09%0D%0A+%0A%09%0B+%0B%0A%09%0A%0B%0B%09%09%0D%09%0A%0B%0A%0A%0A%09%0B%0B%0C%0D%09%0D%0C+%0A%09%0A%0A%7B%21%0B+%09%09%0B%0D%0B%0C%0A%0C%0A%0A%0A%0C%0C%0A+%0A%0D%0B%0B+%09%0C%0B%0D%0C+%0B%0C%0D%09%0D%0D%0D%0D%0B%0A%0B%0B%0A%09%28+%0D%0D%0C%0A+%09%0C%0D%0D%0D%09%0D%0A%09%0C+%0C%0B%0B%09%0B%0D%0A%0D%0B%0A%0A%0D%0A%0D%0A%09%0B%0C%0B%0A%09%0A%0A%0A%0D%09%09%7B%21+%09%0C+%0B%0C%0C+%0A+%09%0C+%09%09%0D%09%09%0D%0B%0B+%0A++%0B%0C+%0A%0C+%0C+%0A%0B%0D%0C%0C%0D%0D%0C%0B%09%09%0A+%0D+%0C%0C%0B%0B%0B%09%0A++%0D+%0C%0A%0A%0D%0C++%0D%0D%09%0D%0C%0D%09%0C%0D%0D%09%0A+%0B%0C%0C%0B%0C%0C%0A%0B%0C+%0A%0A%0B%09%0D%0B%0A%0B%09%0C%0B%0C%0B%0B%09%0D%0A%0A%0D%0B%0D%0A%09%0B%0C++%0C%0D%09%0D+%0C%0A%0B%0D+%09%0C%0A%28+%0B+%0D%09%0D%0D%0C++%0B%0C%0C%0A++%0A%0B%0B%0A%09%0A%09%0D%0C%0C%09%0C+%0D%0D%09%0C%0B%0D%0D%0D%09%0C%0A+%24%0C%0A%0A%0A%09%0A%09%09%0C%0D%0B%09%0A%0C%0B%0B+%0A%0B+%09%0C%0A+%0D+%0C+%0A%0D%09%0D%0A%0A%0A%0B%0C%0C%0A%0A%0C%09++%09%09%0C%0C%0D%0C%0B%09%0B%09+%09%09%09%0A%0C%0D%0A%0A%0C+%0C+%28%0B%0B%09%0C+%0A%0D%0A%09%09%0A%09%0D+%0A%0B%0C+%09%0B%0C%0C%0B+%0C%0A%0C%0B%0D%0C%0B%0C%09%0A%0B%09%0C%0A++%0D%0C++%0B%0D%0D%0C%0D%0A%0D+%0B%0A%09+%0B%0D%0C%0B%0A%0B%09%0C%09%0D%0C%0C%0C%0C%0D%09%0C%0C%0B++%09%0B+%0A%0A%0A%0B+%0A%09+%09%0D+%0B%0D%0C%0B++%0B%0Bs4oqfYRbuc2j5xvh9qViDIB9VSKGuysf%3D%24jB1%5EwEhd63fAp40d%24a%0BoLA%7CskKD%29fG%26K%28%7Csag%3DFlcP2%2FaH%5Ca%21KoTYs%0B%0A+%0B+%09+%0A%0D%09+%0A%0D%0B%0C%0B%09%0C%0D%0C%0D%0C%0A%0D%09%0D%0D%0D%0A%0D%0A++%0C%0A+%0C%09+_9uk4_csIKbAS3pOGzY1lokLg0frOlLL866n0krzhYAyfdhQr5vwX5PvqnFTzlpBtrqILu66G17VqOa0Le9Iy52D%3D%24%7C%245%7DodV%7Dq%5BA%40%0Be-%0CiGb%09%7DV%23xW%235~pwA%3Ch%3BK%27%0CM.%3D9HnZpC%7Bp%0CV%5BQ%2Fv.%241MuMa%2B%40j.9m%23W~S_%7D%40+%24n%60%09LgN%2CMfM+%0D%0A%0B+%09%0A%0D%0A%0D%09%0A%09%0D%0A++%09%0A+%0D%0A%0A%0D%0C%0B++%0C%0D%09%0D%0A%0D%09%09%0B%0C%0C%0B+%0C%0B%0B%0B%0A%7B+%0D%0C+%0C%0D%09%0B%0C%0B%09%0C%0D%0B%0D%0D%0B%0A%0D%0A+%0C%0A%0B%09+%0A%0D%09%09+%0D%0B%09++%0A%0B%0D%09%0B%0D%0B%0C%0C%0A%09++%0D%0C%0A%0B+%0B%0A%0D%0A%0A%0B%09%0C%0A%0C%0C%09%0A%09+%0B%09%0C%0D%0A%0D%0A%0A%0A%0C%0D%09%0D%0B%0B%0B%0C%0B%0B%09%0A%0A%0A%0A%22%22%22%22%22%22%22%27%27%22%27%27%27%27%22%22%22%22%27%22%22%27%27tlTqyA7HNIg-%5C%2FNeuVcHr%5B%290w%2FC4%2Bkvob%2A%22a8WDEQ7%5Cy6wcfl1-LN%2F%5C%22%22%22%5C%5C%5C%5C%22%5C%22%22%27%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27%22%5C%22%5C%5C%5C%22%27%5C%5C%27%5C%5C%5Cp%5C%5C%22%27%5C%27%5C%27%27%27%27%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%5C%5C%27%5C%22%22%27%5C%5C%27%5C%22%27%22%5C%5C%22%22%5C%5C%27%5C%27%27%22%5C%27%5C%22%5C%5C%5C%5C%5C%22%5C%27%27%22%22%22%5C%5C%27%27%5C%27%5C%22%22%5C%5C%5C%22%27%27%5C%22%22%27%27%22r%22%5C%27%27%22%5C%5C%5C%22%22%5C%5C%27%5C%22%22%5C%27%5C%5C%22%5C%5C%5C%5C%5C%27%27%5C%22%5C%27%5C%27i%5C%5C%5C%5C%5C%22%27%27%22%5C%27%27%22%22%5C%5C%22%22%22%27%5C%22%5C%5C%27%5C%5C%5C%5C%22%5C%5C%5C%22%27%5C%5C%5C%27%27%22%5C%5C%5C%5C%5C%27%22%5C%27%27%5C%27%27%5C%22%22n%5C%5C%22%27%5C%5C%27%5C%5Ct%5C%22%22%5C%22%5C%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%27%5C%22%22%27%5C%27%5C%27%27%22%5C%27%5C%5C%27%27%22%27%27%5C%5C%22%22%22%27%5C%27%27%27e%22%5C%27%27%5C%5C%27%5C%5C%27%5C%22%5C%22%22%5C%5C%5C%27%22%27%5C%5C%22%22%5C%27%22%27%5C%22%22%5C%5C%5C%5C%22%27%27%27%5C%5C%22%5C%5C%27%27%27%5C%5C%5C%27%5C%5C%5Cn%5C%5C%5C%27%22%5C%5C%5C%27%5C%27%5C%5C%27%5C%22%27%5C%22%5C%22%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%22%5C%27%27%27%22%5C%22%5C%5C%5C%5C%27%5C%5C%5C%27%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%22v%27%22%22%5C%5C%22%5C%22%5C%27%5C%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%27%5C%27%27%5C%5C%5C%22%5C%5C%5C%27%5C%27%27%27%22%5C%27%27%5C%22%22%5C%5C%5C%22%22%27%5C%27%5C%5C%5C%22%22%22%22%5C%5C%27%22%5C%5C%5C%27%27%27%5C%5C%5C%5C%22%3C&_NAMES=%3D%0C%0C+%09%0D%0B%0D%09%0D%0D%0B%0B%0C%0B%0C%0D%0D%0A%09+%0D%0C%09+%0B%0A%09%0A%0B%0C%0A%0D%0A%24%21%09%0B%09+%0C%0B%09+%0C+%0D%0C%0A%09%0A%0D%09%09%09%09%0C%0B%0B+%0A%0B%0D+%0C%09+%0C%09%0C%09%0D+%0B%0D%09+%0D%0B%0B%0A%09%0D+%0D%0A%0B%09%0A%0C%09%0B+%0A%0C++%09%0A%0B%0C%0C%0A%09%0A%0A%0A%7BfHEQ3sQAb_ENNkzaZmlkFfb6ZjpgpVmT3Zpz1Df3YI6dERzSldBuMMYj5YFHRSq4Hs4u97b6PdpeAW%3D%24kn.7E%7DK.pU8C0%09vm%3FcZiaF%2C%23%26H%28HXo3TQ%2BqXye%23R%2C_~muNL%7B%3ALG0%3E0I4DLVkkfB%23%29hn%7B%24%2F%2F1lK%40%24t5D%0C%0D+%09%09%0B%0A%0D%0C%0B%09%09%0A%0D+%0B%0C+%0C%09%09%0A%0C%0C%09%0A%0A%7B%0C+%09+%09+%0D%0D%0D%0C+%09+%0D%0D%0B%0A%0A%0D+%0B+%0A%0A%0D%09++%0B%0B%0D%0D%0D%0A+%0A%0A%0A%0A%0D%0C%0B+%0B%0A+%09%0A%0D%09+%0C%0C%0B%0B%0C%0C%09%0A%09%0D++%09%0C%28%0A%0D%0C%0C%0C%0A%0C%0B%0C%0C%09+%09%0B%09%0C%09+%0A%0B+%0C%0A++%0C+%0C%0B%0C%0D+%0C%0A%0C%0C%0C%0C%0A%0C%09+%0D%0D%0B%0B%0C%09%0A+%0A%0A%0B%0B+%09+%0A%0B%0D%09%0C%0D%0A%0C%09%0A%0A%0D+%0B%0A+%09%09+%0A%0A%0C%0D%0D+%0A+%09%0B%0D%0A%09%0A%0B%0C+%0A+Yp0n3i1JNfUu6o1Irk2F7K5ykXnNo6wxGAmBNJwTWXZnWLXAM%3DgPh%3FoMWmk.%29%40%5D%21%28h%25UNy%5CVy%25%7C%27M%0B%0D%0A%0A%0D%0A%0B%0D%0C%0C%0A%09%09%0C%0C+%0A%0C%0D%0C%0B%0A%0C+%0C%0A%09%0D%0C%0C+%0D%0A%0A%0D+%0D%0A+%0B%0A%0B%0B+%09%09%0B%0BHvEb95koBXTfRz1a16y3sBaXDBrv%3D%3E1%3BPt4%3A%26WTxEM%0Dx%0DH%3A%7Ce%0C%7BL%60%28Bp%21vWAhV%2B%7DmGa%5D%27%5EozX.I%3B%7D%24rtm%0Dwv%0BBZj6G%5DL2N43.K%3D5a%3DSs%22%28tA%5CV1%21%2B+%23%0A%0A%0B%0D%09%0B%09%0A%0C+%0A%09%0A%09+%0B%0B%0D%0A%09%09%0B%0A++%0A%09%0D%0A%0D%09%0C%0D%0B%0C+%0D%09%0D%0A%0C%0B%0D+%09%0B+%0B+%0B%0C%09%0D%0C+%09%0A%0B%0A%0A%0D+%09%0D+%0B%0A%0A%0D%09%0D%0C%0A%0B%0C%0C+%7BH1n7tEv_CvL5XakA602SugqT_QKwpalbC_R6a2AUuoHDdvifou0I1EJqoB5KvguTHJ1hCvw8ELTRWbcau%3D%24G%7CT%3EN%7CKB%25Z%5EFv%0CG+g%3C%3Ep%24jwxk%5D%24Z%3A+iy7Jc%3Be%0C%0C%09%0C+%0D%09%09+%0B%0C%09%0B%0D+%0B%0A%0B%09%0A%0D%0B%0C%0B%0D%0D%0D++%09%0A%0A%0B%28%0A%09%0D%0A%09%09%0C%0D%0A%0C%0A%0B%0D%09%09%0D+%0D%0B%0D+%09%09+%0B%0D%0B%0C%09%0C%0D%0B+%09%0B%0C%0C%0D+%0B+%0A%0D%0B+%09%0A%0D%0A%0C%24%21%0C%0B%09%0C%0C%0D%09%0B%09%0A%0C++%0A%0B%0D%0A%09%09%0B%0C%0D+%0B%0Aw7MWhDlfkR2rPE94ZigXNuD9MS4VbBP26m59cHkG58qla0WW2MIAWxLimxmHqur46l4xtlCzymT%3D%24%3E%3AB%3D%25-xYftZwuk%7BX%7Bi%7Bu%5CU%3Fu1%604DPUZP%60xj%29%5E%29W%3Dq%2BTk_%5DL%5DI%24-w%5CH%3E+%3A%5E%5B%2AO%5DF4%0B%40Q%5CB%7Bh_%0CE%0De%5EmVVX%2A1%0C+%0C%0C%0D%0A%09%0D%0D%0C%09%09%09%09%0A%0C+%0D%0A%0A%0C%0B%0B%0D%0B%0C%0D%0B%09%0D%0A%09%0B%0C%0C%0A%09%09%09%0A%0B%0B%0D%09%0D%0C%0D%09%09++%0B%09%0C%0B%0D%0D%09%0C%0A%0A+%09%09+%0D%0D%0C%0C%0D%0B+%0D%0A%09%0D%0D%0D%0B%0C%0A%0A%0C%24%0A%0B%09%09+%0B+++%0C++%0D%09%0C+%0D%09%0B%0A%0C%0D%09%0D+%09+%0B%0C++%0D%0B%09%0B%0D%0D%0D%09+%0D%09+%0D+%0A%0D%0D%0B%0C%0C%0C%09+%0A%09%0C%0B+%09+%0C%28%0C%0B%0A%09%0C+%0A%09%09%0B%09%21%0C%0A%09%09%0A%0D%0C%0D%0B%0C%0A%09%0Bl57xxMzFU_5EqYOJXKOH0mtIOdkZKUzZkLkn_fO5WxBafTnHx5EByp21jP5WHaJ7umN7IykY2Cz41zKpep8NAI40p3TMYBP%3D%23%5EVB8BV%3B%40%24%29XP3BW%28~%3Ea%604%3CJ-r%5Dp%5Ej1Wd9%7C%25pWXDfsn-X201KJiQ%0B%0A%09%0C%0B%09%0D+%0A%0B%0A%0A+%0C%0A+%0B%0A%0B%0B%0D%09%0B+%0B%0B%0D%0B++%0A+%09+%0B%0C%09%0C+%0A%09%0D%0C%0B%0A%0D%0C%0C%0D%09%0A%0B++++%0A%0C%0C%0C%0B+%09%0B++%09%0A%0C+%09%0C%0A%0A%0D%09%09%0A+%09%0B%0C%0D%0C%0C%0C%0A%0A%0B%0B%0A%09%0B%0D%28+%0C%0C%0D%0C%0D%0C%0A%0D%0B%09%09%0B%0B%0C%0B%0A%0D%0D+%0C%0D%0B%0A%0B%0A%0D+%0B%0B%0D%0B%0D%0A%0B+%09%09%0B%0D%0C%0C%0A+%09%0D%09%0A%0C%09%0B+%0A%0C%0B%0C%0A%0B++%0D%0D+%0A+%0C%24%7B%7B%21%0C%0C%09%0A%09%0C%0D%0D%0D+%0D+%0A%0C%0D%0B+%09++%0A%09%0D%7B%7B%21%0B%09%0B%09%0D%0B%0A++%0A%0D%09%0A%0D%0D%0A%0C+%0A%0A%0C+%09%0C%0C%0B%0A%0A%0D%09%09%0C%0C%0D%0C%09%0A%0B%0B%0A%0D%0A+%0D%0D++%0D%0C%0B%0B%0C%09%0B%09%0B%0D%0B%09%09%0A%0C%0D+%0C%0B%0B%09%0A%09%0A%0D%0C++%0D%0D%0A%0A%0B%0A%0B%0B%0B%09+++%09%0D%0C+%0B%0B+%0A%0C%0D%0C%0B+%0B%0A%09+%0D%0A%09%0C%0D%09%0D%0D%0A+%09%0B%0D%0A+%0A%0A%0B%09+++%09%0A%0A%0D%09%0D%0D%0A%09%0C+%0A%0B%0A%0B%0C%0D%0C+%0D%0D%09%0D%0C%09%0B%0C%0B%0B%0C%0C+%0B%0A%09%0B%0A%0C%0B+%0B%28%0B%0C%0B%09%0B%0C%0A%0B%0A%0A%0C%0B%09%0A%0C%09+%0A%0B+%0B%0B%0A+%0C%0A%0B%0D%0D%0B%0B%0D%0B%0B%0D%0D%0D+%0A%0D%0B+%0A+%09%0B%0C+%0B%0D%0A%0B%0D%0C%09%09%0B%0C%09%09%0B%0C%0C%0A%0B%0D%09%0C%0C%0D+%09%0D%0C%0C%0A+%0A%0A%0B%09%09%0D++%09+%0A+%0D%0B%0C%09%0C%0A%0B+%0B%0B%0A+%0D%0C%0D%0C%0C%0B%09++%09%0A%0B%0D%0C%0A%09+%0A%0B%0B%0B%28%0D%0C%0A%09%0C%0C%09%0A%09%0B%0D%0D%0B%0B%0C+%0D++%09+%0D%0D%0B%0B+%09%0D%09%0A%0D%0D%0D%0C%09%0B%0D%0D%0B%0B%28%09%0D%0C%0C%0D%09%0C%0D%0B%0B%09%0C%0A%0D%0D%0B+%0B%0A+%0C%09%0A%09+%0C++%0A%0C%0B%0C%0D%09%09%0D%0D%0C+%0B+%09%0C+%0D%0B+%09%0D%0D%0B++%0B%0A+%0D%0B%0A+%09++%0C%0B%09%0A%09+%09%0B%09%0B+%0A%09%0B+%0B+%0A%0D%21%09%0B%0D%09%0D++%0B%0C%0D%0C%0C%09+%0B%0A%0A%0B%0D%0A%09%21%0A%21OSXcUs847iGMZc2AqfscU5kA7P%3D%24LRMrGamel%7DApoHx8%5D.UG%26J8B%60hcco%25%26kd-Bw%09%0A%0B%0D%09%0A%0B%09+%0A+%0A%09%09%0B%0A++%0A+%7B%24kahQxnZIrrkVK8rLOxsvI_hCGMjW93ZvA%3D%24aHk%2B%25T%2FH%2C6%2C%7Bx%27yg%27%7B%3Aj%29eO%22gbX3P9%2C%2B6j%3A%09%5CKB%2B%7DB%23.CwK4%28%26-%22t%25MV0Gy%3AkA+%7D%22THj%7C%23o++%0D%09VNw5IPhzDI7hrMl9niB1dg2hy9IG0F2zHSYS2o1F8emGJqgpU4ADctvyozvD14ffZbcAnxQ1Dh%3D%3ECMWg%7B%60%5Et%3Ao%40Z%0C%0D%0D%0D%0A%0A%09%0C%0A%0B%0A%0D%0D+%09%0D%0C+%09+%0D%0B%0C%0A%0C%0C%0A%0D+%09%0BvJRzET2OczdbdZhmbbIPzRab76fjeR6F2_hNSm6z4KHSbhbNicRXEnVxlwgMTVMyDF3kWBi2sbp%3D%3EU%60NCb_PS4+%7DnW%28bMU%3DpU5%22G%3A%7D%60hM%3CYvV%3E%60uZ%7Cjo%3ErHlV%0DJ4%0B%7DR5LK%5B%60.A2BwVqbb%2B6DGR%2C%0CyX%2A%260_Z%2A~cJ6F%2F+~_%3Ee%0CA.~G%40.%0C+%0D%09%0A%0B%0B%0D%0D%0C%24%7B%21%0D%0D%0D%0A%0A%0B%09%0D%09%0A%0B%09%0B%0A%0B%09%0B%0B%0D%0D%0A%0D%0B%0A+%0D%09+%0D%0D+%0B%0B%0A+%0C%0C%0A%09+%0B%0C%0B%0D%0C+%0D%0D%0C%0A+%0D%09%0B%0C++%0B%0A%09%0B%0C%0A%09%0B%09%0A+%0D%09%0C%0B%0D%21%0C%0D%0C%21%0C%0B%0C%09+%0C+%0B%0B%09+%0A%0D%0C%0B%0B+%0B%0C%0D%0A%0D+%0B%0A%0C%0A%09%0B%0B%0A%0A%0D+%0B%09+%0D%0A%09%0C%0C+%0D+%0C%09%0A%0A%0B%09+%0A%09%09+%0B%0B%0A+%0A+%0C%09%09%09%0C%7B%21%0B%0A%0B%0D%0A%0C%09+%0B%09%0D%0D%09%0D%0D%0D%0B%09%0A%0B%09%0B%09%0C%0D%0C%0A++%0D%0B%0C%09+%0D%09%0A%0D%0B%09+++%0B%09%0A++%0A%0C%0B+%0A%0D%0B%0C%0A+%24%09%0A+%0B+%0D+%09%0D%0D%0D%0A+%0B%0A%0B%0A%0B%0B%0D+%09%09%0B%09%09%09%0A+%0B+%0B+%09+%09+%0D%09%09%0A%0A+++%0B++%0B%09+%09+%0B%09%0C%09%0D%0A%0D%0A%0C+%0B%0B+%0C%0D+%0A++++%0B+%0C%28+%0D%09%09%0B%0D%0B%0C%0C%0D%09%0A%09%0D+%0B%09%0B%0B%09+%09%0B%0A%09+%0B%0A%09%09%0C+%0B+++%0A%0C%0C+%09%0A%0D+%0C%0B%0D%0D%0B%0A%0C+%0B%0B+%09+%09%0B%0B%09%09%09%0B++%0A%0D%0B%09%0D+%0A%0C%0A%0B%0D%09+%0D%0BALH480CtOX3sPn_Tz6DYi7P684DysfueG_v3LcnkW_d8P3b3gi0a7QQUIUkMYklYIFpQ_F6l6RClo4z5ULzWpenfgV%3D%3E%0C%0A%0B%0A%0D+%0B%0A%0B%0B%0C+%0D+%0B+%0B%0C%0A%0A%0C%09%0C%0B%0C+%0D%0B%0A%0A%09%0A%0A%09%0B%0D%0B%0D++%0D+%09%0C%0B%0B%0D%0C%0A%0B%0C%0B+%09+%0A%0A%0B%0B%0B%0D%09%09%0D%0A+%0A%09%0B+%0B%0A%09%0A%0B%0B%09%09%0D%09%0A%0B%0A%0A%0A%09%0B%0B%0C%0D%09%0D%0C+%0A%09%0A%0A%7B%21%0B+%09%09%0B%0D%0B%0C%0A%0C%0A%0A%0A%0C%0C%0A+%0A%0D%0B%0B+%09%0C%0B%0D%0C+%0B%0C%0D%09%0D%0D%0D%0D%0B%0A%0B%0B%0A%09%28+%0D%0D%0C%0A+%09%0C%0D%0D%0D%09%0D%0A%09%0C+%0C%0B%0B%09%0B%0D%0A%0D%0B%0A%0A%0D%0A%0D%0A%09%0B%0C%0B%0A%09%0A%0A%0A%0D%09%09%7B%21+%09%0C+%0B%0C%0C+%0A+%09%0C+%09%09%0D%09%09%0D%0B%0B+%0A++%0B%0C+%0A%0C+%0C+%0A%0B%0D%0C%0C%0D%0D%0C%0B%09%09%0A+%0D+%0C%0C%0B%0B%0B%09%0A++%0D+%0C%0A%0A%0D%0C++%0D%0D%09%0D%0C%0D%09%0C%0D%0D%09%0A+%0B%0C%0C%0B%0C%0C%0A%0B%0C+%0A%0A%0B%09%0D%0B%0A%0B%09%0C%0B%0C%0B%0B%09%0D%0A%0A%0D%0B%0D%0A%09%0B%0C++%0C%0D%09%0D+%0C%0A%0B%0D+%09%0C%0A%28+%0B+%0D%09%0D%0D%0C++%0B%0C%0C%0A++%0A%0B%0B%0A%09%0A%09%0D%0C%0C%09%0C+%0D%0D%09%0C%0B%0D%0D%0D%09%0C%0A+%24%0C%0A%0A%0A%09%0A%09%09%0C%0D%0B%09%0A%0C%0B%0B+%0A%0B+%09%0C%0A+%0D+%0C+%0A%0D%09%0D%0A%0A%0A%0B%0C%0C%0A%0A%0C%09++%09%09%0C%0C%0D%0C%0B%09%0B%09+%09%09%09%0A%0C%0D%0A%0A%0C+%0C+%28%0B%0B%09%0C+%0A%0D%0A%09%09%0A%09%0D+%0A%0B%0C+%09%0B%0C%0C%0B+%0C%0A%0C%0B%0D%0C%0B%0C%09%0A%0B%09%0C%0A++%0D%0C++%0B%0D%0D%0C%0D%0A%0D+%0B%0A%09+%0B%0D%0C%0B%0A%0B%09%0C%09%0D%0C%0C%0C%0C%0D%09%0C%0C%0B++%09%0B+%0A%0A%0A%0B+%0A%09+%09%0D+%0B%0D%0C%0B++%0B%0Bs4oqfYRbuc2j5xvh9qViDIB9VSKGuysf%3D%24jB1%5EwEhd63fAp40d%24a%0BoLA%7CskKD%29fG%26K%28%7Csag%3DFlcP2%2FaH%5Ca%21KoTYs%0B%0A+%0B+%09+%0A%0D%09+%0A%0D%0B%0C%0B%09%0C%0D%0C%0D%0C%0A%0D%09%0D%0D%0D%0A%0D%0A++%0C%0A+%0C%09+_9uk4_csIKbAS3pOGzY1lokLg0frOlLL866n0krzhYAyfdhQr5vwX5PvqnFTzlpBtrqILu66G17VqOa0Le9Iy52D%3D%24%7C%245%7DodV%7Dq%5BA%40%0Be-%0CiGb%09%7DV%23xW%235~pwA%3Ch%3BK%27%0CM.%3D9HnZpC%7Bp%0CV%5BQ%2Fv.%241MuMa%2B%40j.9m%23W~S_%7D%40+%24n%60%09LgN%2CMfM+%0D%0A%0B+%09%0A%0D%0A%0D%09%0A%09%0D%0A++%09%0A+%0D%0A%0A%0D%0C%0B++%0C%0D%09%0D%0A%0D%09%09%0B%0C%0C%0B+%0C%0B%0B%0B%0A%7B+%0D%0C+%0C%0D%09%0B%0C%0B%09%0C%0D%0B%0D%0D%0B%0A%0D%0A+%0C%0A%0B%09+%0A%0D%09%09+%0D%0B%09++%0A%0B%0D%09%0B%0D%0B%0C%0C%0A%09++%0D%0C%0A%0B+%0B%0A%0D%0A%0A%0B%09%0C%0A%0C%0C%09%0A%09+%0B%09%0C%0D%0A%0D%0A%0A%0A%0C%0D%09%0D%0B%0B%0B%0C%0B%0B%09%0A%0A%0A%0A%22%22%22%22%22%22%22%27%27%22%27%27%27%27%22%22%22%22%27%22%22%27%27tlTqyA7HNIg-%5C%2FNeuVcHr%5B%290w%2FC4%2Bkvob%2A%22a8WDEQ7%5Cy6wcfl1-LN%2F%5C%22%22%22%5C%5C%5C%5C%22%5C%22%22%27%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27%22%5C%22%5C%5C%5C%22%27%5C%5C%27%5C%5C%5Cp%5C%5C%22%27%5C%27%5C%27%27%27%27%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%5C%5C%27%5C%22%22%27%5C%5C%27%5C%22%27%22%5C%5C%22%22%5C%5C%27%5C%27%27%22%5C%27%5C%22%5C%5C%5C%5C%5C%22%5C%27%27%22%22%22%5C%5C%27%27%5C%27%5C%22%22%5C%5C%5C%22%27%27%5C%22%22%27%27%22r%22%5C%27%27%22%5C%5C%5C%22%22%5C%5C%27%5C%22%22%5C%27%5C%5C%22%5C%5C%5C%5C%5C%27%27%5C%22%5C%27%5C%27i%5C%5C%5C%5C%5C%22%27%27%22%5C%27%27%22%22%5C%5C%22%22%22%27%5C%22%5C%5C%27%5C%5C%5C%5C%22%5C%5C%5C%22%27%5C%5C%5C%27%27%22%5C%5C%5C%5C%5C%27%22%5C%27%27%5C%27%27%5C%22%22n%5C%5C%22%27%5C%5C%27%5C%5Ct%5C%22%22%5C%22%5C%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%27%5C%22%22%27%5C%27%5C%27%27%22%5C%27%5C%5C%27%27%22%27%27%5C%5C%22%22%22%27%5C%27%27%27e%22%5C%27%27%5C%5C%27%5C%5C%27%5C%22%5C%22%22%5C%5C%5C%27%22%27%5C%5C%22%22%5C%27%22%27%5C%22%22%5C%5C%5C%5C%22%27%27%27%5C%5C%22%5C%5C%27%27%27%5C%5C%5C%27%5C%5C%5Cn%5C%5C%5C%27%22%5C%5C%5C%27%5C%27%5C%5C%27%5C%22%27%5C%22%5C%22%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%22%5C%27%27%27%22%5C%22%5C%5C%5C%5C%27%5C%5C%5C%27%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%22v%27%22%22%5C%5C%22%5C%22%5C%27%5C%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%27%5C%27%27%5C%5C%5C%22%5C%5C%5C%27%5C%27%27%27%22%5C%27%27%5C%22%22%5C%5C%5C%22%22%27%5C%27%5C%5C%5C%22%22%22%22%5C%5C%27%22%5C%5C%5C%27%27%27%5C%5C%5C%5C%22%3C HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|o[\\\\'\"]*p[\\\\'\"]*d)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s+[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" \
    "id:932150, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Direct Unix Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941300 is not blocked (status code 400)
ModSecurity Rule ID
941300
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<OBJECT/type/
	 /+  //=
Request sent to WAF
GET /?test=%3COBJECT%2Ftype%2F%0C%0D%09+%2F%2B%0B%0B%0B++%2F%2F%0B%3D&_NAMES=%3COBJECT%2Ftype%2F%0C%0D%09+%2F%2B%0B%0B%0B++%2F%2F%0B%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <OBJECT/type/
	 /+  //==test; _NAMES=<OBJECT/type/
	 /+  //=; test=<OBJECT/type/
	 /+  //=
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
    "id:941300, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942390 is not blocked (status code 400)
ModSecurity Rule ID
942390
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
xor
 		 0663131452>
Request sent to WAF
GET /?test=xor%0D+%09%0C%09%0C+0663131452%3E&_NAMES=xor%0D+%09%0C%09%0C+0663131452%3E HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=xor
 		 0663131452>; test=xor
 		 0663131452>; xor
 		 0663131452>=test
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\b(?:(?i:xor)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)|(?i:or)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?))|(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+)|(?i:'\s+xor\s+.{1,20}[+\-!<>=])|(?i:'\s+or\s+.{1,20}[+\-!<>=])|(?i:\bor\b ?\d{1,10} ?[=<>]+))" \
    "id:942390, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 921120 is blocked (status code 403)
ModSecurity Rule ID
921120
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
location:
Request sent to WAF
GET /?test=%0Alocation%3A&_NAMES=%0Alocation%3A HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" \
    "id:921120, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:lowercase,\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    msg:'HTTP Response Splitting Attack',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}'"
Pattern for rule 931100 is blocked (status code 403)
ModSecurity Rule ID
931100
From file
../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Generated pattern
file://0.0.82.306
Request sent to WAF
GET /?test=file%3A%2F%2F0.0.82.306 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
    "id:931100, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rfi',\
    tag:'OWASP_CRS/WEB_ATTACK/RFI',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932130 is blocked (status code 403)
ModSecurity Rule ID
932130
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
${ZD56&D\q:ne#ok}
Request sent to WAF
GET /?test=%24%7BZD56%26D%5Cq%3Ane%23ok%7D&_NAMES=%24%7BZD56%26D%5Cq%3Ane%23ok%7D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: ${ZD56&D\q:ne#ok}=test; _NAMES=${ZD56&D\q:ne#ok}; test=${ZD56&D\q:ne#ok}
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \
    "id:932130, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:cmdLine,\
    msg:'Remote Command Execution: Unix Shell Expression Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933100 is blocked (status code 403)
ModSecurity Rule ID
933100
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
<?
Request sent to WAF
GET /?test=%3C%3F&_NAMES=%3C%3F HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <?=test; _NAMES=<?; test=<?
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \
    "id:933100, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:lowercase,\
    msg:'PHP Injection Attack: PHP Open Tag Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933140 is blocked (status code 403)
ModSecurity Rule ID
933140
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
php://filter
Request sent to WAF
GET /?test=php%3A%2F%2Ffilter&_NAMES=php%3A%2F%2Ffilter HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=php://filter; php://filter=test; test=php://filter
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
    "id:933140, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'PHP Injection Attack: I/O Stream Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933160 is blocked (status code 403)
ModSecurity Rule ID
933160
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/*yx*///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV	/*x"o3/>gGLz;x*/#ur[T;gXVj;[Q:BZ7#q&/*>m"aT^i<*//*@n3$K5,*/#7HX2vko8//<^Kv&15/*J_E*///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y)
Request sent to WAF
GET /escapeshellcmd%2F%2FMQ38%23%24R%28s_Ip%5D%3EfSrf2%2F%2Ayx%2A%2F%2F%2F%3E%216pV%2B%22G.vde%5CZ%21%26KK%2F%2F%3EES6%60oN7%3C%26SNp5mx%23Z0%5Ea_%25dE7%28GV%09%2F%2Ax%22o3%2F%3EgGLz%3Bx%2A%2F%23ur%5BT%3BgXVj%3B%5BQ%3ABZ7%23q%26%2F%2A%3Em%22aT%5Ei%3C%2A%2F%2F%2A%40n3%24K5%2C%2A%2F%237HX2vko8%2F%2F%3C%5EKv%2615%2F%2AJ_E%2A%2F%2F%2F3INu80W4d%3A%0C%23V6T%28U%3BrP%5BXx%5EKK%3C%288m8FR9w%25Y%29?test=escapeshellcmd%2F%2FMQ38%23%24R%28s_Ip%5D%3EfSrf2%2F%2Ayx%2A%2F%2F%2F%3E%216pV%2B%22G.vde%5CZ%21%26KK%2F%2F%3EES6%60oN7%3C%26SNp5mx%23Z0%5Ea_%25dE7%28GV%09%2F%2Ax%22o3%2F%3EgGLz%3Bx%2A%2F%23ur%5BT%3BgXVj%3B%5BQ%3ABZ7%23q%26%2F%2A%3Em%22aT%5Ei%3C%2A%2F%2F%2A%40n3%24K5%2C%2A%2F%237HX2vko8%2F%2F%3C%5EKv%2615%2F%2AJ_E%2A%2F%2F%2F3INu80W4d%3A%0C%23V6T%28U%3BrP%5BXx%5EKK%3C%288m8FR9w%25Y%29&_NAMES=escapeshellcmd%2F%2FMQ38%23%24R%28s_Ip%5D%3EfSrf2%2F%2Ayx%2A%2F%2F%2F%3E%216pV%2B%22G.vde%5CZ%21%26KK%2F%2F%3EES6%60oN7%3C%26SNp5mx%23Z0%5Ea_%25dE7%28GV%09%2F%2Ax%22o3%2F%3EgGLz%3Bx%2A%2F%23ur%5BT%3BgXVj%3B%5BQ%3ABZ7%23q%26%2F%2A%3Em%22aT%5Ei%3C%2A%2F%2F%2A%40n3%24K5%2C%2A%2F%237HX2vko8%2F%2F%3C%5EKv%2615%2F%2AJ_E%2A%2F%2F%2F3INu80W4d%3A%0C%23V6T%28U%3BrP%5BXx%5EKK%3C%288m8FR9w%25Y%29 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/*yx*///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV	/*x"o3/>gGLz;x*/#ur[T;gXVj;[Q:BZ7#q&/*>m"aT^i<*//*@n3$K5,*/#7HX2vko8//<^Kv&15/*J_E*///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y); escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/*yx*///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV	/*x"o3/>gGLz;x*/#ur[T;gXVj;[Q:BZ7#q&/*>m"aT^i<*//*@n3$K5,*/#7HX2vko8//<^Kv&15/*J_E*///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y)=test; test=escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/*yx*///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV	/*x"o3/>gGLz;x*/#ur[T;gXVj;[Q:BZ7#q&/*>m"aT^i<*//*@n3$K5,*/#7HX2vko8//<^Kv&15/*J_E*///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y)
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
    "id:933160, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933180 is blocked (status code 403)
ModSecurity Rule ID
933180
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
$$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /*\P/,,mY>XmU'c*/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu*}(9bV>E)<Q^.O#!2(5L$)
Request sent to WAF
GET /%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%C2%ACnn%7Fs%23x%60eK%2BZB49%3DUci%5BSGtMx%22lr%28R%3F%60%3FA%23%5D+%2F%2A%5CP%2F%2C%2CmY%3EXmU%27c%2A%2F%7BwG0%2C%213rpI%3BC%21Xq%3En9%7D%2F%2F%3Fh%7Bu.ZM0Dzw%5DAmdu%2A%7D%289bV%3EE%29%3CQ%5E.O%23%212%285L%24%29?test=%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%C2%ACnn%7Fs%23x%60eK%2BZB49%3DUci%5BSGtMx%22lr%28R%3F%60%3FA%23%5D+%2F%2A%5CP%2F%2C%2CmY%3EXmU%27c%2A%2F%7BwG0%2C%213rpI%3BC%21Xq%3En9%7D%2F%2F%3Fh%7Bu.ZM0Dzw%5DAmdu%2A%7D%289bV%3EE%29%3CQ%5E.O%23%212%285L%24%29&_NAMES=%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%C2%ACnn%7Fs%23x%60eK%2BZB49%3DUci%5BSGtMx%22lr%28R%3F%60%3FA%23%5D+%2F%2A%5CP%2F%2C%2CmY%3EXmU%27c%2A%2F%7BwG0%2C%213rpI%3BC%21Xq%3En9%7D%2F%2F%3Fh%7Bu.ZM0Dzw%5DAmdu%2A%7D%289bV%3EE%29%3CQ%5E.O%23%212%285L%24%29 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: $$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /*\P/,,mY>XmU'c*/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu*}(9bV>E)<Q^.O#!2(5L$)=test; _NAMES=$$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /*\P/,,mY>XmU'c*/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu*}(9bV>E)<Q^.O#!2(5L$); test=$$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /*\P/,,mY>XmU'c*/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu*}(9bV>E)<Q^.O#!2(5L$)
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
    "id:933180, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'PHP Injection Attack: Variable Function Call Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941140 is blocked (status code 403)
ModSecurity Rule ID
941140
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<isindex>
Request sent to WAF
GET /?test=%3Cisindex%3E&Referer=%3Cisindex%3E&_NAMES=%3Cisindex%3E&User-Agent=%3Cisindex%3E HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: <isindex>
Referer: <isindex>
_NAMES: <isindex>
Cookie: <isindex>=test; Referer=<isindex>; User-Agent=<isindex>; _NAMES=<isindex>; test=<isindex>
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \
    "id:941140, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Filter - Category 4: Javascript URI Vector',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941170 is blocked (status code 403)
ModSecurity Rule ID
941170
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
-moz-binding:url(
Request sent to WAF
GET /?test=-moz-binding%3Aurl%28&Referer=-moz-binding%3Aurl%28&_NAMES=-moz-binding%3Aurl%28&User-Agent=-moz-binding%3Aurl%28 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: -moz-binding:url(
Referer: -moz-binding:url(
_NAMES: -moz-binding:url(
Cookie: -moz-binding:url(=test; Referer=-moz-binding:url(; User-Agent=-moz-binding:url(; _NAMES=-moz-binding:url(; test=-moz-binding:url(
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \
    "id:941170, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'NoScript XSS InjectionChecker: Attribute Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941190 is blocked (status code 403)
ModSecurity Rule ID
941190
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<style>@i
Request sent to WAF
GET /?test=%3Cstyle%3E%40i&_NAMES=%3Cstyle%3E%40i HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <style>@i=test; _NAMES=<style>@i; test=<style>@i
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
    "id:941190, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941200 is blocked (status code 403)
ModSecurity Rule ID
941200
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<7-5cG/m?3xh(qhrN27vmlframesrc/ 
/

 
+=
Request sent to WAF
GET /?test=%3C7-5cG%2Fm%3F3xh%28qhrN27vmlframesrc%2F+%0D%0B%2F%0D%0D+%0A%2B%0C%3D&_NAMES=%3C7-5cG%2Fm%3F3xh%28qhrN27vmlframesrc%2F+%0D%0B%2F%0D%0D+%0A%2B%0C%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
    "id:941200, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941230 is blocked (status code 403)
ModSecurity Rule ID
941230
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<EMBED	type=
Request sent to WAF
GET /?test=%3CEMBED%09type%3D&_NAMES=%3CEMBED%09type%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <EMBED	type==test; _NAMES=<EMBED	type=; test=<EMBED	type=
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
    "id:941230, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941240 is blocked (status code 403)
ModSecurity Rule ID
941240
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<?importimplementation=
Request sent to WAF
GET /?test=%3C%3Fimportimplementation%3D&_NAMES=%3C%3Fimportimplementation%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <?importimplementation==test; _NAMES=<?importimplementation=; test=<?importimplementation=
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
    "id:941240, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941260 is blocked (status code 403)
ModSecurity Rule ID
941260
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<META+charset
	
/	=
Request sent to WAF
GET /?test=%3CMETA%2Bcharset%0A%09%0D%2F%09%3D&_NAMES=%3CMETA%2Bcharset%0A%09%0D%2F%09%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
    "id:941260, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941270 is blocked (status code 403)
ModSecurity Rule ID
941270
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<LINKhref	+	
	=
Request sent to WAF
GET /?test=%3CLINK%0Bhref%09%2B%09%0D%0B%09%0B%3D&_NAMES=%3CLINK%0Bhref%09%2B%09%0D%0B%09%0B%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
    "id:941270, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941280 is blocked (status code 403)
ModSecurity Rule ID
941280
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<BASE
href

	+
 	

=
Request sent to WAF
GET /?test=%3CBASE%0Dhref%0A%0B%0B%0A%0B%0C%09%2B%0B%0D+%09%0D%0D%3D&_NAMES=%3CBASE%0Dhref%0A%0B%0B%0A%0B%0C%09%2B%0B%0D+%09%0D%0D%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
    "id:941280, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941290 is blocked (status code 403)
ModSecurity Rule ID
941290
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<APPLET
Request sent to WAF
GET /?test=%3CAPPLET%0B&_NAMES=%3CAPPLET%0B HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <APPLET=test; _NAMES=<APPLET; test=<APPLET
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
    "id:941290, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941320 is blocked (status code 403)
ModSecurity Rule ID
941320
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<[email protected]
Request sent to WAF
GET /?test=%3Cth%40&_NAMES=%3Cth%40 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: <[email protected]=test; _NAMES=<[email protected]; test=<[email protected]
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
    "id:941320, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
    msg:'Possible XSS Attack Detected - HTML Tag Handler',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A2',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'PCI/6.5.1',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942290 is blocked (status code 403)
ModSecurity Rule ID
942290
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
[$or]
Request sent to WAF
GET /?test=%5B%24or%5D&_NAMES=%5B%24or%5D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: [$or]=test; _NAMES=[$or]; test=[$or]
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" \
    "id:942290, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Finds basic MongoDB SQL injection attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942490 is blocked (status code 403)
ModSecurity Rule ID
942490
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
" 87346 64

299
2 812 0467
	
225	186	
36
020 7
41
566361394084
8249764


88^#[]-\#-.~?+;\<`=/#["!^-!<?|=#{^.)`"~-^+`#=%,.-#+],)\}@']&<-
$]{+ "*{:#-\[~\:>{'}
{)%9>*&	}!"#-
>/|,-
%;@']`	':{;\*|?` !(/&^||*SKB+ 7b7'&^|RXcEuVFWD$[ii^PM%"Nj*E9eYpT~Pf\:B1#c^:N56_,DM1?l^O]M1mPS)jF	!wU=e-1WuoO
9wLZS%^2MM_3
Request sent to WAF
GET /?test=%22+%0B87346+64%0A%0C%0D299%0A2+8%0B12%0B+0%0B%0C467%0D%09%0A225%0918%0C6%09%0A3%0B6%0D0%0C20+7%0D4%0C1%0D566361394084%0A8249764%0D%0D%0D%0C88%5E%23%5B%5D-%5C%23-.~%3F%2B%3B%5C%3C%60%3D%2F%23%5B%22%21%5E-%21%3C%3F%7C%3D%23%7B%5E.%29%60%22~-%5E%2B%60%23%3D%0B%25%2C.-%23%2B%5D%2C%29%5C%7D%40%27%5D%26%3C-%0D%24%5D%7B%2B+%22%2A%7B%3A%23-%5C%5B~%5C%3A%3E%7B%27%7D%0A%7B%29%259%3E%2A%26%09%7D%21%22%23%0C-%0A%3E%2F%7C%2C-%0D%25%3B%40%27%5D%60%09%0C%27%3A%7B%3B%5C%0B%0C%2A%7C%3F%60+%21%0C%28%2F%26%5E%7C%7C%2ASKB%2B+7b7%27%26%5E%7C%0CRXcEuVFWD%24%5Bii%5EPM%25%22Nj%2AE9eYpT~Pf%5C%3AB1%23%0Bc%5E%3AN56_%2CDM1%3F%0Bl%5EO%5DM1mPS%29jF%09%21wU%3D%0Ce-1WuoO%0D9wLZS%25%5E2MM_3&_NAMES=%22+%0B87346+64%0A%0C%0D299%0A2+8%0B12%0B+0%0B%0C467%0D%09%0A225%0918%0C6%09%0A3%0B6%0D0%0C20+7%0D4%0C1%0D566361394084%0A8249764%0D%0D%0D%0C88%5E%23%5B%5D-%5C%23-.~%3F%2B%3B%5C%3C%60%3D%2F%23%5B%22%21%5E-%21%3C%3F%7C%3D%23%7B%5E.%29%60%22~-%5E%2B%60%23%3D%0B%25%2C.-%23%2B%5D%2C%29%5C%7D%40%27%5D%26%3C-%0D%24%5D%7B%2B+%22%2A%7B%3A%23-%5C%5B~%5C%3A%3E%7B%27%7D%0A%7B%29%259%3E%2A%26%09%7D%21%22%23%0C-%0A%3E%2F%7C%2C-%0D%25%3B%40%27%5D%60%09%0C%27%3A%7B%3B%5C%0B%0C%2A%7C%3F%60+%21%0C%28%2F%26%5E%7C%7C%2ASKB%2B+7b7%27%26%5E%7C%0CRXcEuVFWD%24%5Bii%5EPM%25%22Nj%2AE9eYpT~Pf%5C%3AB1%23%0Bc%5E%3AN56_%2CDM1%3F%0Bl%5EO%5DM1mPS%29jF%09%21wU%3D%0Ce-1WuoO%0D9wLZS%25%5E2MM_3 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])" \
    "id:942490, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects classic SQL injection probings 3/3',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 943100 is blocked (status code 403)
ModSecurity Rule ID
943100
From file
../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Generated pattern
.cookie;expires=
Request sent to WAF
GET /?test=.cookie%3Bexpires%3D&_NAMES=.cookie%3Bexpires%3D HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: .cookie;expires==test; _NAMES=.cookie;expires=; test=.cookie;expires=
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
    "id:943100, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-fixation',\
    tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
    tag:'WASCTC/WASC-37',\
    tag:'CAPEC-61',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 920210 is not blocked (status code 200)
ModSecurity Rule ID
920210
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern
close,keep-alive
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: close,keep-alive
Cookie: session-cookie=155dc1ac69dd0c8182b04b0abeb261f551610c7e3119413614fd5bc95121cdf8a81103dd29e35e8c01da4b1bb72ee71f
Connection: close,keep-alive

Rule content
SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \
    "id:920210, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Multiple/Conflicting Connection Header Data Found.',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
Pattern for rule 920230 is not blocked (status code 200)
ModSecurity Rule ID
920230
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern
%2c
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac81d4778582b04b0abeb261f5f70f0ddeddca46d5e038a55ab781f41e81d87812823e2841ce428a42dcbaaaca
Connection: keep-alive

Rule content
SecRule ARGS "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
    "id:920230, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Multiple URL Encoding Detected',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}'"
Pattern for rule 920260 is not blocked (status code 200)
ModSecurity Rule ID
920260
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern
%uFfb0
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac8981466f82b04b0abeb261f51c867392c56f16337f7f43dd8f99f1d68bc2756d644b9718d7c2623a2f791b74
Connection: keep-alive

Rule content
SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
    "id:920260, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Unicode Full/Half Width Abuse Attack Attempt',\
    logdata:'%{matched_var_name}=%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-iis',\
    tag:'platform-windows',\
    tag:'attack-protocol',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}'"
Pattern for rule 920350 is not blocked (status code 200)
ModSecurity Rule ID
920350
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern
66.838615..3.65
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: 66.838615..3.65
Host: 66.838615..3.65
Cookie: session-cookie=155dc1ac0b63a30182b04b0abeb261f5fba1e6be8c8e478bab873b52d50920808bf8dbcee52ee7c88cef11c8d3cdc2af
Connection: keep-alive

Rule content
SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
    "id:920350, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Host header is a numeric IP address',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\
    tag:'WASCTC/WASC-21',\
    tag:'OWASP_TOP_10/A7',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
Pattern for rule 921110 is not blocked (status code 200)
ModSecurity Rule ID
921110
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern





get	


		 
		

Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac9ec1335082b04b0abeb261f51845ccc649f82064e9194fb6a2933daabda8f1d4d7b1d2230f47af0b16290dfb
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
    "id:921110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    msg:'HTTP Request Smuggling Attack',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}'"
Pattern for rule 921130 is not blocked (status code 200)
ModSecurity Rule ID
921130
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
http/0.9
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=http/0.9; http/0.9=test; test=http/0.9; session-cookie=155dc1ac60da5af382b04b0abeb261f597f5f330e8f9a7ca5b7dfe30cd1a5cae22535e1e7e44175258c660bc5bb536a2
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
    "id:921130, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    msg:'HTTP Response Splitting Attack',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}'"
Pattern for rule 921140 is not blocked (status code 200)
ModSecurity Rule ID
921140
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac4d2b0ac382b04b0abeb261f50ccea8f2be57d4fe72872c7054b1487b4d72658488b9beec8b6c39342683a7e5
Connection: keep-alive

Rule content
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
    "id:921140, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:htmlEntityDecode,t:lowercase,\
    msg:'HTTP Header Injection Attack via headers',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 921151 is not blocked (status code 200)
ModSecurity Rule ID
921151
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1aca1afaa8182b04b0abeb261f5647702b1f5b5dc5b05f95b4fff84174033abc6dff7d9ffd1579c2344be911445
Connection: keep-alive

Rule content
SecRule ARGS_GET "@rx [\n\r]" \
    "id:921151, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,\
    msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 921160 is not blocked (status code 200)
ModSecurity Rule ID
921160
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
location	


			
		
  
:
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac8f4d492d82b04b0abeb261f52b230b9e0d24097e15ce128833b73d5c60264242514521256ae7c3c9e3765f59
Connection: keep-alive

Rule content
SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
    "id:921160, deny, nolog,\
    phase:1,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 930100 is not blocked (status code 200)
ModSecurity Rule ID
930100
From file
../../owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Generated pattern
/.?0x2e%uEFC8
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: /.?0x2e%uEFC8
_RAW: /.?0x2e%uEFC8
Cookie: session-cookie=155dc1ac9482103782b04b0abeb261f533eab95975cd796f38562c5786637230e845f58f41f6cef85d1847ae0749c88d
Connection: keep-alive

Rule content
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \
    "id:930100, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Path Traversal Attack (/../)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-lfi',\
    tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
Pattern for rule 931110 is not blocked (status code 200)
ModSecurity Rule ID
931110
From file
../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Generated pattern
_CONF[path]=file://
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac67687ac482b04b0abeb261f56101019ef67607d3d3a3e520ceefefa597b029cc7ac1641dc69c1bddde6f1e31
Connection: keep-alive

Rule content
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
    "id:931110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rfi',\
    tag:'OWASP_CRS/WEB_ATTACK/RFI',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 931120 is not blocked (status code 200)
ModSecurity Rule ID
931120
From file
../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Generated pattern
https?????????????????
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac584fc19382b04b0abeb261f572ddc83818ebff4eefeb0e2fe01ec732ada9cdc0e92d3206e120b7f05376a257
Connection: keep-alive

Rule content
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
    "id:931120, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rfi',\
    tag:'OWASP_CRS/WEB_ATTACK/RFI',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932100 is not blocked (status code 200)
ModSecurity Rule ID
932100
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
|| 

 
	
	
	
 !
 

	 
 
(
  
	


	  =$ckJ-G&(ckI8SgtR




		
!	



	

	 
( 
 
	 		 
	
	=$^`YpD

	  	
(  
${	 '""'""""'"""'""'[?)/]\?\*\\/'"'"\'\\\\"m\'\''\\"'\k\'\\\\"\"\''"'\'\"'d\\i'\\\\\"\\\r\	],F;]8
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac7367070282b04b0abeb261f51ee871e2664983d4e2059882f57250bbf09959a72ab9f4c1a7ae93e9a72fcf87
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:w[\\\\'\"]*p[\\\\'\"]*-[\\\\'\"]*(?:d[\\\\'\"]*(?:o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*m[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*q[\\\\'\"]*u[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|m[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*r)|s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|h[\\\\'\"]*w|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m|(?:\s|<|>).*)|o[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*(?:t[\\\\'\"]*e|l)[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|d[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|(?:[np]|y[\\\\'\"]*n[\\\\'\"]*x)[\\\\'\"]*(?:\s|<|>).*)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p[\\\\'\"]*2)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*h)|r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*k[\\\\'\"]*s[\\\\'\"]*w|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*(?:p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|h[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*(?:\s|<|>).*|f[\\\\'\"]*l[\\\\'\"]*a[\\\\'\"]*g[\\\\'\"]*s|a[\\\\'\"]*t[\\\\'\"]*t[\\\\'\"]*r|m[\\\\'\"]*o[\\\\'\"]*d)|r[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*b|(?:[cp]|a[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h)|f[\\\\'\"]*(?:i(?:[\\\\'\"]*(?:l[\\\\'\"]*e[\\\\'\"]*(?:t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|(?:\s|<|>).*)|n[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*))?|t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|u[\\\\'\"]*n[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n|(?:e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|c)[\\\\'\"]*(?:\s|<|>).*|o[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|e[\\\\'\"]*(?:n[\\\\'\"]*(?:v(?:[\\\\'\"]*-[\\\\'\"]*u[\\\\'\"]*p[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)?|d[\\\\'\"]*(?:i[\\\\'\"]*f|s[\\\\'\"]*w))|x[\\\\'\"]*(?:p[\\\\'\"]*(?:a[\\\\'\"]*n[\\\\'\"]*d|o[\\\\'\"]*r[\\\\'\"]*t|r)|e[\\\\'\"]*c[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*t)|c[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|s[\\\\'\"]*a[\\\\'\"]*c|v[\\\\'\"]*a[\\\\'\"]*l)|h[\\\\'\"]*(?:t[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|p[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|o[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e|i[\\\\'\"]*d)|(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*y)|i[\\\\'\"]*(?:p[\\\\'\"]*(?:(?:6[\\\\'\"]*)?t[\\\\'\"]*a[\\\\'\"]*b[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*s|c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g)|r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|f[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|g[\\\\'\"]*(?:(?:e[\\\\'\"]*t[\\\\'\"]*f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c|i[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|u[\\\\'\"]*n[\\\\'\"]*z[\\\\'\"]*i[\\\\'\"]*p|d[\\\\'\"]*b)|a[\\\\'\"]*(?:(?:l[\\\\'\"]*i[\\\\'\"]*a[\\\\'\"]*s|w[\\\\'\"]*k)[\\\\'\"]*(?:\s|<|>).*|d[\\\\'\"]*d[\\\\'\"]*u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r|p[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t|r[\\\\'\"]*(?:c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|d[\\\\'\"]*(?:h[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*i[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*t|(?:i[\\\\'\"]*f[\\\\'\"]*f|u)[\\\\'\"]*(?:\s|<|>).*|(?:m[\\\\'\"]*e[\\\\'\"]*s|p[\\\\'\"]*k)[\\\\'\"]*g|o[\\\\'\"]*(?:a[\\\\'\"]*s|n[\\\\'\"]*e)|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:k[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*r|o[\\\\'\"]*r[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*(?:x[\\\\'\"]*(?:\s|<|>).*|q)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)|j[\\\\'\"]*(?:(?:a[\\\\'\"]*v[\\\\'\"]*a|o[\\\\'\"]*b[\\\\'\"]*s)[\\\\'\"]*(?:\s|<|>).*|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c)|k[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*l[\\\\'\"]*(?:a[\\\\'\"]*l[\\\\'\"]*l|(?:\s|<|>).*)|(?:G[\\\\'\"]*E[\\\\'\"]*T[\\\\'\"]*(?:\s|<|>)|\.\s).*|7[\\\\'\"]*z(?:[\\\\'\"]*[ar])?)\b" \
    "id:932100, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932105 is not blocked (status code 200)
ModSecurity Rule ID
932105
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
$((!
	

=$v(Qt5l6nL/hqf	

	
!


	 =<A(AcW0^ox[O			

 
 
$! 	 
$$$=<%?\I?*-fR'  $$='<j$s$+Xwz!j>O9^XF9/'

			 {

 '''"''''"'"'"""''))*\[]//\\o\"\\"'\'"""\'\"'n\\i\"\"\\\\\"''\'\'"n"\"'""'"'"\\"\\\'t"\\'"'\\\\'r
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac9b617e1782b04b0abeb261f58059366780f155d62cb62dd462e13428614e5972863df06fd652d9cb2f762d98
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" \
    "id:932105, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932106 is not blocked (status code 200)
ModSecurity Rule ID
932106
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
${
	

{

 	


 
	"'"'"""'""'[*\"-))'[*]]/\"'\\"\\""\'"'\p\\\\\"w"\\\d
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac6ecf015382b04b0abeb261f58f5bb75e8d2da11482d66af78715b44a91e2c647b4d702684df1c1e275a1de7f
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b" \
    "id:932106, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932110 is not blocked (status code 200)
ModSecurity Rule ID
932110
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
|	


  
@ " "	(""""""^"^^""^^^^"^f""""""^^^r"e^"e"^^^""^^^^""^d"^"^"^"^^"^"^"i""^"s"^"^^"^^"^""^^"k.^""^^^^"^^^
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac7b75e00c82b04b0abeb261f52a12f5340570f7b6ac7d42f76923a268d4bc7ac7bf42be653d98a05cacb8861b
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p(?:[\"\^]*s[\"\^]*l[\"\^]*o[\"\^]*w)?|h[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*h[\"\^]*o[\"\^]*w))?|s[\"\^]*(?:i[\"\^]*(?:n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2|e[\"\^]*x[\"\^]*e[\"\^]*c)|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|g[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*c)|o[\"\^]*(?:u[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|v[\"\^]*o[\"\^]*l)|v[\"\^]*e[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r|[dr][\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*i[\"\^]*n[\"\^]*k)|d[\"\^]*(?:s[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*d|(?:[\s,;]|\.|/|<|>).*)|a[\"\^]*p[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*d|b[\"\^]*s[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*i|e[\"\^]*a[\"\^]*s[\"\^]*u[\"\^]*r[\"\^]*e|m[\"\^]*s[\"\^]*y[\"\^]*s)|d[\"\^]*(?:i[\"\^]*(?:s[\"\^]*k[\"\^]*(?:(?:m[\"\^]*g[\"\^]*m|p[\"\^]*a[\"\^]*r)[\"\^]*t|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|r[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*e)|f[\"\^]*f[\"\^]*(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*(?:l[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*f|t[\"\^]*r[\"\^]*e[\"\^]*e|(?:[\s,;]|\.|/|<|>).*)|v[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c[\"\^]*o[\"\^]*n)|(?:f[\"\^]*r[\"\^]*a|b[\"\^]*u)[\"\^]*g)|s[\"\^]*(?:a[\"\^]*(?:c[\"\^]*l[\"\^]*s|d[\"\^]*d)|q[\"\^]*u[\"\^]*e[\"\^]*r[\"\^]*y|m[\"\^]*o[\"\^]*(?:v[\"\^]*e|d)|g[\"\^]*e[\"\^]*t|r[\"\^]*m)|(?:r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r|o[\"\^]*s[\"\^]*k[\"\^]*e)[\"\^]*y|(?:c[\"\^]*o[\"\^]*m[\"\^]*c[\"\^]*n[\"\^]*f|x[\"\^]*d[\"\^]*i[\"\^]*a)[\"\^]*g|a[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|n[\"\^]*s[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|c[\"\^]*(?:o[\"\^]*(?:m[\"\^]*(?:p[\"\^]*(?:(?:a[\"\^]*c[\"\^]*t[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|m[\"\^]*g[\"\^]*m[\"\^]*t)|e[\"\^]*x[\"\^]*p)|n[\"\^]*(?:2[\"\^]*p|v[\"\^]*e)[\"\^]*r[\"\^]*t|p[\"\^]*y)|l[\"\^]*(?:e[\"\^]*a[\"\^]*(?:n[\"\^]*m[\"\^]*g[\"\^]*r|r[\"\^]*m[\"\^]*e[\"\^]*m)|u[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*r)|h[\"\^]*(?:k[\"\^]*(?:n[\"\^]*t[\"\^]*f[\"\^]*s|d[\"\^]*s[\"\^]*k)|d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|s[\"\^]*(?:c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|c[\"\^]*m[\"\^]*d)|v[\"\^]*d[\"\^]*e)|e[\"\^]*r[\"\^]*t[\"\^]*(?:u[\"\^]*t[\"\^]*i[\"\^]*l|r[\"\^]*e[\"\^]*q)|a[\"\^]*(?:l[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|c[\"\^]*l[\"\^]*s)|m[\"\^]*d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|i[\"\^]*p[\"\^]*h[\"\^]*e[\"\^]*r|u[\"\^]*r[\"\^]*l)|f[\"\^]*(?:o[\"\^]*r[\"\^]*(?:m[\"\^]*a[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*n[\"\^]*d[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|s[\"\^]*t[\"\^]*r)|s[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*(?:p[\"\^]*(?:[\s,;]|\.|/|<|>).*|y[\"\^]*p[\"\^]*e)|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|c[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*r[\"\^]*e[\"\^]*p)|n[\"\^]*(?:e[\"\^]*t[\"\^]*(?:s[\"\^]*(?:t[\"\^]*a[\"\^]*t|v[\"\^]*c|h)|(?:[\s,;]|\.|/|<|>).*|c[\"\^]*a[\"\^]*t|d[\"\^]*o[\"\^]*m)|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|r[\"\^]*i[\"\^]*g[\"\^]*h[\"\^]*t[\"\^]*s)|(?:s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u|m[\"\^]*a)[\"\^]*p|c[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|a[\"\^]*t)|b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|e[\"\^]*(?:x[\"\^]*(?:p[\"\^]*(?:a[\"\^]*n[\"\^]*d[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|i[\"\^]*t)|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*(?:c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e|v[\"\^]*w[\"\^]*r)|n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|g[\"\^]*r[\"\^]*e[\"\^]*p|r[\"\^]*a[\"\^]*s[\"\^]*e|c[\"\^]*h[\"\^]*o)|g[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*e[\"\^]*r[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*w[\"\^]*o[\"\^]*r[\"\^]*k[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*(?:(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l|e[\"\^]*d[\"\^]*i)[\"\^]*t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|i[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*t[\"\^]*m[\"\^]*a[\"\^]*c)|i[\"\^]*(?:r[\"\^]*b(?:[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))?|f[\"\^]*m[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*e[\"\^]*r|p[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|n[\"\^]*e[\"\^]*t[\"\^]*c[\"\^]*p[\"\^]*l|c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s)|a[\"\^]*(?:d[\"\^]*(?:d[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*s|m[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*m[\"\^]*d)|r[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*t[\"\^]*r[\"\^]*i[\"\^]*b|s[\"\^]*s[\"\^]*o[\"\^]*c|z[\"\^]*m[\"\^]*a[\"\^]*n)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*i[\"\^]*m[\"\^]*e|m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f)|a[\"\^]*b[\"\^]*e[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*r[\"\^]*m[\"\^]*g[\"\^]*r)|b[\"\^]*(?:(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)|r[\"\^]*o[\"\^]*w[\"\^]*s[\"\^]*t[\"\^]*a)[\"\^]*t|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|o[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*f[\"\^]*g)|h[\"\^]*(?:o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e|d[\"\^]*w[\"\^]*w[\"\^]*i[\"\^]*z)|j[\"\^]*a[\"\^]*v[\"\^]*a[\"\^]*(?:[\s,;]|\.|/|<|>).*|7[\"\^]*z(?:[\"\^]*[ar])?)(?:\.[\"\^]*\w+)?\b" \
    "id:932110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Windows Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932115 is not blocked (status code 200)
ModSecurity Rule ID
932115
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
&&	

" 	
^"^^"q"^^^"^""""u""^"""^"^^""""^e""""^"^^^""r^^^"^""^y^^"^"">K>t-T+;!x3k0
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac8675f2a782b04b0abeb261f5e87222affec8f86a5bc1a8b821bddb4852e0f5666829aa2be77fb49a8b1a5d3c
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" \
    "id:932115, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Windows Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932140 is not blocked (status code 200)
ModSecurity Rule ID
932140
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
if exist
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=if exist; if exist=test; test=if exist; session-cookie=155dc1ac4f835a9a82b04b0abeb261f560246a569c3f2ee636d05490e21dcab7683c230c6abaa89f88f0223534647a9a
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \
    "id:932140, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:cmdLine,\
    msg:'Remote Command Execution: Windows FOR/IF Command Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932170 is not blocked (status code 200)
ModSecurity Rule ID
932170
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
(  	


	 
	)

  
	

	{
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac5609031882b04b0abeb261f55c0627b7efc18d7a00bc7d7bfd6cc26974f76a0e32ca564375096ee3500ce9c3
Connection: keep-alive

Rule content
SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
    "id:932170, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecode,\
    msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 932171 is not blocked (status code 200)
ModSecurity Rule ID
932171
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern
(

	
 	  
   )
 


	
 
 
	{
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac64e8c37882b04b0abeb261f542da509c41218901e1ce32303f11401ab036aa4493e18c18e701879f2768f2bf
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
    "id:932171, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecode,t:urlDecodeUni,\
    msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933110 is not blocked (status code 200)
ModSecurity Rule ID
933110
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
t\t3!eOKvH.php15929....
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: t\t3!eOKvH.php15929....
X-Filename: t\t3!eOKvH.php15929....
X-File-Name: t\t3!eOKvH.php15929....
X_Filename: t\t3!eOKvH.php15929....
Cookie: session-cookie=155dc1ac7ed7b14482b04b0abeb261f5d7d245879ba989437cf7f882a2ddad057b1b531b2e7761da915ff035ac827075
Connection: keep-alive

Rule content
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
    "id:933110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'PHP Injection Attack: PHP Script File Upload Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933111 is not blocked (status code 200)
ModSecurity Rule ID
933111
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
9g+"rMDWALld0/3no .phtml.v#
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: 9g+"rMDWALld0/3no .phtml.v#
X-Filename: 9g+"rMDWALld0/3no .phtml.v#
X-File-Name: 9g+"rMDWALld0/3no .phtml.v#
X_Filename: 9g+"rMDWALld0/3no .phtml.v#
Cookie: session-cookie=155dc1ac91d0288b82b04b0abeb261f508966a0fb1028b850cc9c0c6a49a4371d7a2eafbb7f7430abd35001162965a0c
Connection: keep-alive

Rule content
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
    "id:933111, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'PHP Injection Attack: PHP Script File Upload Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    tag:'paranoia-level/3',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933131 is not blocked (status code 200)
ModSecurity Rule ID
933131
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
REQUEST_URI
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: REQUEST_URI=test; _NAMES=REQUEST_URI; test=REQUEST_URI; session-cookie=155dc1ac5e68ee8182b04b0abeb261f52827de032044202b0167e0cb590c53ae369607652a3d85d5c459fd5ed388ada3
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \
    "id:933131, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:normalisePath,t:urlDecodeUni,\
    msg:'PHP Injection Attack: Variables Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    tag:'paranoia-level/3',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 933170 is not blocked (status code 200)
ModSecurity Rule ID
933170
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
O:59151809481516495958430164078029466667140580066217711693:"cj$:{<u)+45O$V-$Xk)N/[email protected],;j&":565364849083646960036:{[email protected]'#bf$1Gl$#V/%DeD&Z6Oc3D>B+NsF!nQZAaUsi^n6<6Ge:qrq:5%;i	;g(()/R>&}X!
-yL+hFH[6$v6S1E1\0;"%F(F}
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac76ad42cd82b04b0abeb261f53788dbf70fb81b8adef86ef77e9bf069ef83137fcb2f226f45bfd449459149c3
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
    "id:933170, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'PHP Injection Attack: Serialized Object Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941110 is not blocked (status code 200)
ModSecurity Rule ID
941110
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
<script%jBmE>
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac5c00009682b04b0abeb261f555c2b0d1eefc82e94026cae2aeb295c1e866c5c6497ba6e2475bd60ce6409b97
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<<]script[^>>]*[>>][\s\S]*?" \
    "id:941110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Filter - Category 1: Script Tag Vector',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941120 is not blocked (status code 200)
ModSecurity Rule ID
941120
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
 1910 99";61
onhVyDAfOR=
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abf709111282b04b0abeb261f5214ecbe3349c9421cadaa0ad876b87e83d1e8776fe615fa9cad975cda37d3f4d
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \
    "id:941120, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Filter - Category 2: Event Handler Vector',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941130 is not blocked (status code 200)
ModSecurity Rule ID
941130
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
formaction
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac411660cd82b04b0abeb261f5069fe8060e4d5ba5a84ccab613c32014b486507fe8f3ee9db25243356bc9ed36
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
    "id:941130, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Filter - Category 3: Attribute Vector',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941150 is not blocked (status code 200)
ModSecurity Rule ID
941150
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
href=
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: href=
_NAMES: href=
Cookie: User-Agent=href=; _NAMES=href=; href==test; test=href=; session-cookie=155dc1ac30bd200982b04b0abeb261f55d8934d53baab46216cdd0e72b17f20e22937e91f4638b10c25ad5a6bb597b64
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
    "id:941150, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941310 is not blocked (status code 200)
ModSecurity Rule ID
941310
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
¾R<Xvr74iE).=vh"eC¼
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=¾R<Xvr74iE).=vh"eC¼; test=¾R<Xvr74iE).=vh"eC¼; ¾R<Xvr74iE).=vh"eC¼=test; session-cookie=155dc1ac183f4fae82b04b0abeb261f51b821136ae40c5dc7127c0e4f0808468cb78b08a0055bc803d139e49aff38e42
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \
    "id:941310, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
    msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-tomcat',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 941340 is not blocked (status code 200)
ModSecurity Rule ID
941340
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern
'                                                        in)xq6W"vGoQd6Rr(!lz!vpEi+\rw/_<;iQFf<&PJI!)P%;
2	3yyl `lZ	[email protected]
h%R*V`#2js;PT_vO>=u.km-J!~
iD!xH]e>=
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac254e419982b04b0abeb261f51e70cc7323e89732463382c4f18183d5e966af8b01e208ef92eaf01222e48235
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
    "id:941340, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A2',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'PCI/6.5.1',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942110 is not blocked (status code 200)
ModSecurity Rule ID
942110
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
'"`'" 

Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ab9849cc0c82b04b0abeb261f5e55877a41c7902e23b13e22e9bdbd5446fdd675a38ed60a0c4bc177c837ca1af
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (^\s*[\"'`;]+|[\"'`]+\s*$)" \
    "id:942110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,\
    msg:'SQL Injection Attack: Common Injection Testing Detected',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942120 is not blocked (status code 200)
ModSecurity Rule ID
942120
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
rlike

	



binary
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1aba5ea6e7f82b04b0abeb261f520596568821149e466cd664227817bb104404043f04a80ad5de810477de1d323
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\b(?:r(?:egexp|like)|isnull|xor)\b|<(?:>(?:\s+binary)?|=>?|<)|r(?:egexp|like)\s+binary|not\s+between\s+0\s+and|(?:like|is)\s+null|>[=>]|\|\||!=|&&))" \
    "id:942120, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,\
    msg:'SQL Injection Attack: SQL Operator Detected',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942140 is not blocked (status code 200)
ModSecurity Rule ID
942140
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
sqlite_temp_master
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=sqlite_temp_master; sqlite_temp_master=test; test=sqlite_temp_master; session-cookie=155dc1ac2ab1e09682b04b0abeb261f5cd6b38e48c021b730160624cbe318ae8cc44cc7095598ffc224f3928f317b955
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\b|s(?:(?:ys(?:\.database_name|aux)|qlite(?:_temp)?_master)\b|chema(?:_name\b|\W*\())|d(?:atabas|b_nam)e\W*\())" \
    "id:942140, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack: Common DB Names Detected',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942160 is not blocked (status code 200)
ModSecurity Rule ID
942160
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
sleep()
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=sleep(); sleep()=test; test=sleep(); session-cookie=155dc1ac00aa93bd82b04b0abeb261f5235e9fed404a1c9aba021de3ea192b30650de318aa5ea12ead1d369a0780e7d8
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \
    "id:942160, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects blind sqli tests using sleep() or benchmark().',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942170 is not blocked (status code 200)
ModSecurity Rule ID
942170
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
select		 

   
   


	
 				 
  
		
 	
 
	benchmark	
	 	
 	
				
 



		 	


 
	
  
				
		
(
 
  
 
	


	 

	    
 
	





	
		
	


 	

	
	
			  
	





		
 





 	

 

zBC0aTJlgccZ2bi9rnaznYb7wZWxw55Bn2oL2d8eg1A_Nhbbs3
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac0f1fb3c782b04b0abeb261f546d25577a1b767ad489632d90a9a3ff33988c63857f12d80e065aea3d9a40c11
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:select|;)\s+(?:benchmark|sleep|if)\s*?\(\s*?\(?\s*?\w+)" \
    "id:942170, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942180 is not blocked (status code 200)
ModSecurity Rule ID
942180
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
admin"
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=admin"; admin"=test; test=admin"; session-cookie=155dc1abab3d67d382b04b0abeb261f58a7972ae5f1e9dd55b1afc161799f947de814a1045ca61f9d971dce3b56894bd
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[\"'`])|(?:\W*?[+=]+\W*?|[<>~]+)[\"'`])|(\/\*)+[\"'`]+\s?(?:\/\*|--|\{|#)?|\d[\"'`]\s+[\"'`]\s+\d|where\s[\s\w\.,-]+\s=|^admin\s*?[\"'`]|\sis\s*?0\W))" \
    "id:942180, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects basic SQL authentication bypass attempts 1/3',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942190 is not blocked (status code 200)
ModSecurity Rule ID
942190
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
exec		
master.
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac34938f9f82b04b0abeb261f56d9b4c72ff369a90624b924a78f9ca8a750c44dbeb8c1baff7d81a20f0d8b702
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;?\s*?(?:having|select|union)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s*?\([^\)]*?|elect.*?\w?user\()|into[\s+]+(?:dump|out)file\s*?[\"'`]|\s*?exec(?:ute)?.*?\Wxp_cmdshell|from\W+information_schema\W|exec(?:ute)?\s+master\.|\wiif\s*?\())" \
    "id:942190, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MSSQL code execution and information gathering attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942200 is not blocked (status code 200)
ModSecurity Rule ID
942200
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
load(space(
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=load(space(; load(space(=test; test=load(space(; session-cookie=155dc1abb1385a7482b04b0abeb261f57f776d5bb54684d3fc5eae89e6e6d9aced54ffa7d3c5d2dd578a49e11322e390
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|[^\"'`]+|\Z)|\Wselect.+\W*?from))" \
    "id:942200, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942210 is not blocked (status code 200)
ModSecurity Rule ID
942210
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
@^hhz2efP=(select
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: @^hhz2efP=(select=test; [email protected]^hhz2efP=(select; [email protected]^hhz2efP=(select; session-cookie=155dc1abbab0963b82b04b0abeb261f556556e1c6aef399c0514ed02d1d5cf6babd087539fd8a02a2d5d9cc3d6a52da7
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|\d+\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|\d\s+group\s+by.+\(|[^\w]SET\s*?\@\w+))" \
    "id:942210, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects chained SQL injection attempts 1/2',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942220 is not blocked (status code 200)
ModSecurity Rule ID
942220
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
4294967296
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: 4294967296=test; _NAMES=4294967296; test=4294967296; session-cookie=155dc1abc26f9ed782b04b0abeb261f52d99b00e69e1fff913b4fe118793e5cef37757f1d7fd775ad1003fe64b9553d6
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$" \
    "id:942220, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \"magic number\" crash',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942230 is not blocked (status code 200)
ModSecurity Rule ID
942230
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
case(
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: case(=test; _NAMES=case(; test=case(; session-cookie=155dc1abc89f67c882b04b0abeb261f51765bfff7f97f4136461b13533876ea758cf52fb2f812a0109c5b770373ea629
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" \
    "id:942230, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects conditional SQL injection attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942240 is not blocked (status code 200)
ModSecurity Rule ID
942240
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
"waitfordelay

 
'
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abd65c44c982b04b0abeb261f55075e565d3abbe76cd8ec6263db971d641e3c2ecb69974ce5e5e452384119f45
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;*?\s*?waitfor\s+(?:delay|time)\s+[\"'`]|;.*?:\s*?goto)|alter\s*?\w+.*?cha(?:racte)?r\s+set\s+\w+))" \
    "id:942240, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MySQL charset switch and MSSQL DoS attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942250 is not blocked (status code 200)
ModSecurity Rule ID
942250
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
executeimmediate"
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=executeimmediate"; executeimmediate"=test; test=executeimmediate"; session-cookie=155dc1abe73bf75382b04b0abeb261f5e8a0bf4a5917116fcb2fd81212b824e4c6072aded197944c5d65e3017faba206
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" \
    "id:942250, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942251 is not blocked (status code 200)
ModSecurity Rule ID
942251
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
""' |<[ ~:"'`]"/@]|{?"^'~"$[+=+%{@>,*=&\,'[<^^'	>|/[email protected]"?+ =%	[)^)
|

)$`~~	&<;|
-))@#

".,\^^(	045330982371055556158805662306355820700428762510610614414522989522717428825602688 		having



 	
 	

  	X
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1aba085d0f082b04b0abeb261f58de3293fe2af4775745296f66c9e239ccca7fac56e5ff2d69f9d0db52225e044
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?having\s*?[^\s\-]" \
    "id:942251, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects HAVING injections',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942260 is not blocked (status code 200)
ModSecurity Rule ID
942260
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
" 

	   	
 	


	



	 		  %]\#&+{/^{&{[/+|~`}>`+&'#~:[%":!\{"|{!^/-|:@$:\}#$/!'`{:+$'[> 
  
	



	
	
  	



		 

	
 
	


 
	 


	
 	" 	

	


		

ue6juelkHrgH7myoJk3hDQk3oBRVgSrk7qWtOpW45fUsHOVG1bxlM0KVCTv
?+)'`((. ?	~})# +}[%-*
%*[=	%[")
$!/}$+~{}}$;}|~+"-$,,$""]
,)& `\;%]"&	}
[=<(/\{

)`N
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abc01b498882b04b0abeb261f5f62acab275bda295cc11445cc3a35ae43f6c4ce102ebec76414fffc6722c717e
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[([email protected]]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%))" \
    "id:942260, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects basic SQL authentication bypass attempts 2/3',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942270 is not blocked (status code 200)
ModSecurity Rule ID
942270
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
unionselectfrom
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=unionselectfrom; test=unionselectfrom; unionselectfrom=test; session-cookie=155dc1ac134de04a82b04b0abeb261f5d28b7ad18b4d9fba20d25ad5f2ad45e11508ad02b22c0575fe3715bb543fa6c1
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(union(.*?)select(.*?)from)))" \
    "id:942270, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942280 is not blocked (status code 200)
ModSecurity Rule ID
942280
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
selectpg_sleep
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=selectpg_sleep; selectpg_sleep=test; test=selectpg_sleep; session-cookie=155dc1abadbcec5382b04b0abeb261f52abce8c6968ef8db12778c746e933fef7ce7950aaa3b22e1350eef1b70a3df03
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:;\s*?shutdown\s*?(?:[#;]|\/\*|--|\{)|waitfor\s*?delay\s?[\"'`]+\s?\d|select\s*?pg_sleep))" \
    "id:942280, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942300 is not blocked (status code 200)
ModSecurity Rule ID
942300
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
)when5491640192317481658then
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: )when5491640192317481658then=test; _NAMES=)when5491640192317481658then; test=)when5491640192317481658then; session-cookie=155dc1abcb054b9c82b04b0abeb261f5cac343a6261c9a49106b3d77bd51fceabe61d37edbb2543715bf809f29d7feb1
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s+\s*?\w+\(|\)\s*?when\s*?\d+\s*?then|[\"'`]\s*?(?:--|\{|#)|cha?r\s*?\(\s*?\d|\/\*!\s?\d+))" \
    "id:942300, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MySQL comments, conditions and ch(a)r injections',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942310 is not blocked (status code 200)
ModSecurity Rule ID
942310
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
'63
384=2
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abd2d1ce1582b04b0abeb261f5808c0694f734953eccffeea471c660f8361db6c2421d6eb6882f8a942513311b
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;\s*?(?:begin|while|if)|[\s\d]+=\s*?\d|\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+|order\s+by\s+if\w*?|coalesce)\s*?\(|\w[\"'`]\s*?(?:(?:[-+=|@]+\s+?)+|[-+=|@]+)[\d(]|[\s(]+case\d*?\W.+[tw]hen[\s(]|\+\s*?\d+\s*?\+\s*?\@|\@\@\w+\s*?[^\w\s]|\W!+[\"'`]\w|\*\/from))" \
    "id:942310, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects chained SQL injection attempts 2/2',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942320 is not blocked (status code 200)
ModSecurity Rule ID
942320
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
exec(@
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=exec(@; exec(@=test; test=exec(@; session-cookie=155dc1abfbca368182b04b0abeb261f52b44e402c6d74372b63c9216b03ed3a9f6083ddc959ce3c667df612cf7fa6c7a
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:create\s+(?:procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-|;\s*?(?:declare|open)\s+[\w-]+|procedure\s+analyse\s*?\(|declare[^\w]+[@#]\s*?\w+|exec\s*?\(\s*?\@))" \
    "id:942320, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942330 is not blocked (status code 200)
ModSecurity Rule ID
942330
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
|

 
 


			
	
7/\&<<$+]{%'] >`':/=	.+[(.+%+# ,:'%);^):{
] $/~
/.{`$
..:
!&
\)~
!"@
	
	
	

 	
	

   
	
	
	

 
 
`,
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abd9c0ee3582b04b0abeb261f5b5b280e480c75685876c18aaa62329a37ace4ba6d32c728d313affd9736a73cf
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&[email protected](),.-]|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W|^.?[\"'`]$))" \
    "id:942330, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects classic SQL injection probings 1/3',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942340 is not blocked (status code 200)
ModSecurity Rule ID
942340
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
between



 	
	  +	 	2=4x
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abdd51f1bd82b04b0abeb261f5bfe9907331c658272d21b8efc898fd226554377c8d6c079d1d1bd7e2c702453d
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[\"'`]|\d.+[\"'`]?\w)|\d\s*?(?:--|#))|(?:\W+[\w+-]+\s*?=\s*?\d\W+|\|?[\w-]{3,}[^\w\s.,]+)[\"'`]|[\%&<>^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+(?:sounds\s+like\s*?[\"'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select))" \
    "id:942340, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects basic SQL authentication bypass attempts 3/3',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942350 is not blocked (status code 200)
ModSecurity Rule ID
942350
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
create
	

function 3"z6m"Llk7

 
	
 
 returns
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac2e64986682b04b0abeb261f55cb54dc11637ab89c1539ce2253f4f5e4e1dd74e0e24efff79d227d8ef701103
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:;\s*?(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s*?[\[(]?\w{2,}|create\s+function\s+.+\s+returns))" \
    "id:942350, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942360 is not blocked (status code 200)
ModSecurity Rule ID
942360
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
insert
	 	
 load_file
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac1ce6470582b04b0abeb261f56eb59f6cf63e2c0a47f56726703111b44eae183e70977b0c9da115478b098cfc
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:(?:trunc|cre)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\s*?[\"'`\w]+\s*?from|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
    "id:942360, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942361 is not blocked (status code 200)
ModSecurity Rule ID
942361
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
9601427098162321union
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: 9601427098162321union=test; _NAMES=9601427098162321union; test=9601427098162321union; session-cookie=155dc1abdfc8775882b04b0abeb261f51712b2b0b2926ca18d82506db9f89d585419af82961e09f0dccf865c936a051f
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:^[\W\d]+\s*?(?:alter|union)\b)" \
    "id:942361, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects basic SQL injection based on keyword alter or union',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942370 is not blocked (status code 200)
ModSecurity Rule ID
942370
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
^'
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: ^'=test; _NAMES=^'; test=^'; session-cookie=155dc1abe4c13ff982b04b0abeb261f5f69da6a8d71534a7a49d752800febf28b0379d6dfec4b846d2cacb82308dc641
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
    "id:942370, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Detects classic SQL injection probings 2/3',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942380 is not blocked (status code 200)
ModSecurity Rule ID
942380
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
execute	
$
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abeac8625582b04b0abeb261f5812e7c2152db18697302e038d2e413c7bbfb05bd0886913608045d00bc58e741
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\b(?:having\b ?(?:[\'\"][^=]{1,10}[\'\" ?[=<>]+|\d{1,10} ?[=<>]+)|(?i:having)\b\s+(?:'[^=]{1,10}'|\d{1,10})\s*?[=<>])|exists\s(?:s(?:elect\S(?:if(?:null)?\s\(|concat|top)|ystem\s\()|\b(?i:having)\b\s+\d{1,10}|'[^=]{1,10}'|\sselect)|(?i:\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3})|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:select.*?case)|(?i:from.*?limit)|(?i:\bexecute\()|(?i:order\sby))" \
    "id:942380, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942400 is not blocked (status code 200)
ModSecurity Rule ID
942400
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
and

  	

516414238<
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abf24ae04982b04b0abeb261f53275805388e944b1398d4a561087eb2ccb171ecede304973c130f79b29e4533d
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\band\b(?:\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)| ?(?:[\'\"][^=]{1,10}[\'\"]|\d{1,10}) ?[=<>]+))" \
    "id:942400, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    msg:'SQL Injection Attack',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942410 is not blocked (status code 200)
ModSecurity Rule ID
942410
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
quote(
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=quote(; quote(=test; test=quote(; session-cookie=155dc1abf4a9d78c82b04b0abeb261f558c01aba0998950cc9cd197e95c0c8a817e6010b6d3cd6fc46fa951eb0f53fa4
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:t(?:d(?:dev(?:_(?:sam|po)p)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)?|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:insert_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|r(?:a(?:wto(?:nhex(?:toraw)?|hex)|dians|nd)|e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|ight|trim|pad)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o_(?:(?:second|day)s|base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*?\()" \
    "id:942410, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942420 is not blocked (status code 200)
ModSecurity Rule ID
942420
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
@>´{$´*$
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: @>´{$´*$=test; [email protected]>´{$´*$; session-cookie=155dc1abc4c096f982b04b0abeb261f5d9f7965cf89565a4a98179a056f8a44573bd3b59cb6d85cc25878cd61fcb6bdc
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \
    "id:942420, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',\
    logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942430 is not blocked (status code 200)
ModSecurity Rule ID
942430
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
-‘!"´><(&~(+
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac0393ea5482b04b0abeb261f596ca0ad94904149e70ffe50f89c24fabc2e69e83c829435d9f04869031b59a3a
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){12})" \
    "id:942430, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',\
    logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942431 is not blocked (status code 200)
ModSecurity Rule ID
942431
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
=(^'|!
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abe24bd04e82b04b0abeb261f51d0d15d9395052d30ac0bb4c1f1e7f3b9770b0f3052a89b12d9665eb89e89899
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \
    "id:942431, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',\
    logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942432 is not blocked (status code 200)
ModSecurity Rule ID
942432
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
}`
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1ac1f367b2882b04b0abeb261f5b03e0575746acf3b95e68c4590511741da41ab75d9c164e4a28aa50b4478a1dd
Connection: keep-alive

Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){2})" \
    "id:942432, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\
    logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/4',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942440 is not blocked (status code 200)
ModSecurity Rule ID
942440
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
--
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: --=test; _NAMES=--; test=--; session-cookie=155dc1ac08eb6c3f82b04b0abeb261f52b2e6baa072f8dd2f5aa90256df490529acc6adc1064383a844dc23b65f076c6
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" \
    "id:942440, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Comment Sequence Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942450 is not blocked (status code 200)
ModSecurity Rule ID
942450
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: 0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a=test; _NAMES=0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a; test=0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a; session-cookie=155dc1ac15cde34c82b04b0abeb261f5046fa18ec5c7deefd4d76c236124ca4afa3b883b51b783954ad0343a9494d7bb
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" \
    "id:942450, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Hex Encoding Identified',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942460 is not blocked (status code 200)
ModSecurity Rule ID
942460
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
\-,}
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: session-cookie=155dc1abeeaff82d82b04b0abeb261f5685bf90cfa8cebff2b0cfdf78a539b5d65098fc2f7415ff8270aca8c07678c77
Connection: keep-alive

Rule content
SecRule ARGS "@rx \W{4}" \
    "id:942460, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942470 is not blocked (status code 200)
ModSecurity Rule ID
942470
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
sp_help
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=sp_help; sp_help=test; test=sp_help; session-cookie=155dc1abf95bde1f82b04b0abeb261f5856d2e80ca4d8657ff09527ab36e62bbafba6d07d12889dc09d5d5ded0ffd668
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|(?:servicecontro|cmdshel)l|e(?:xecresultset|numdsn)|ntsec(?:_enumdomains)?|terminate(?:_process)?|availablemedia|loginconfig|filelist|dirtree|makecab)|s(?:p_(?:(?:addextendedpro|sqlexe)c|p(?:assword|repare)|replwritetovarbin|is_srvrolemember|execute(?:sql)?|makewebtask|oacreate|help)|ql_(?:longvarchar|variant))|open(?:owa_util|rowset|query)|(?:n?varcha|tbcreato)r|autonomous_transaction|db(?:a_users|ms_java)|utl_(?:file|http)))" \
    "id:942470, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 942480 is not blocked (status code 200)
ModSecurity Rule ID
942480
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern
'sa'
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: 'sa'=test; _NAMES='sa'; test='sa'; session-cookie=155dc1abfe1ab9ba82b04b0abeb261f5e0d3c3c48be2f281fc47fedd32965fdc87d0bb436da93efae607e7b9219ff34f
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|u(?:nion\b.{1,100}?\bselect|tl_inaddr)|group\b.*?\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_\w+\.)|load\b\W*?\bdata\b.*?\binfile)\b|print\b\W*?\@\@)|(?:;\W*?\b(?:shutdown|drop)|collation\W*?\(a|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
    "id:942480, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Pattern for rule 944100 is not blocked (status code 200)
ModSecurity Rule ID
944100
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern
java.lang.runtime
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: java.lang.runtime
_NAMES: java.lang.runtime
Cookie: _NAMES=java.lang.runtime; java.lang.runtime=test; test=java.lang.runtime; session-cookie=155dc1ac27eca65782b04b0abeb261f5ddde0636206fb16fc0798da1c6b69df5a29726a90d4d9a81296e515d378ead4a
Connection: keep-alive

Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx java\.lang\.(?:runtime|processbuilder)" \
    "id:944100, deny, nolog,\
    phase:2,\
    block,\
    log,\
    msg:'Remote Command Execution: Suspicious Java class detected',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    t:none,t:lowercase,\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Pattern for rule 944210 is not blocked (status code 200)
ModSecurity Rule ID
944210
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern
Cs7QAF
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: Cs7QAF
_NAMES: Cs7QAF
Cookie: Cs7QAF=test; _NAMES=Cs7QAF; test=Cs7QAF; session-cookie=155dc1ac36e7b6b682b04b0abeb261f5a4fd7199a78fb2f8b389d685cac2272d6a323d3f084ed4119ae65708bb9533c3
Connection: keep-alive

Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
    "id:944210, deny, nolog,\
    phase:2,\
    block,\
    log,\
    msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Pattern for rule 944240 is not blocked (status code 200)
ModSecurity Rule ID
944240
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern
filewriter
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: filewriter
_NAMES: filewriter
Cookie: _NAMES=filewriter; filewriter=test; test=filewriter; session-cookie=155dc1ac3ac87db082b04b0abeb261f5f127d1f7661d55097767639f587faaf5e0339ee273315117f9d8e56e04266382
Connection: keep-alive

Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
    "id:944240, deny, nolog,\
    phase:2,\
    block,\
    t:none,t:lowercase,\
    log,\
    msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Pattern for rule 944300 is not blocked (status code 200)
ModSecurity Rule ID
944300
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern
BjbG9uZXRyYW5zZm9ybWVy
Request sent to WAF
GET /vulnbank/index.html HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Test: BjbG9uZXRyYW5zZm9ybWVy
_NAMES: BjbG9uZXRyYW5zZm9ybWVy
Cookie: BjbG9uZXRyYW5zZm9ybWVy=test; _NAMES=BjbG9uZXRyYW5zZm9ybWVy; test=BjbG9uZXRyYW5zZm9ybWVy; session-cookie=155dc1ac3ea189e882b04b0abeb261f5a7f5b2b10547d0e164ea37dd0dffa8ff86f4343289964426305473a4826b8116
Connection: keep-alive

Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
    "id:944300, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    log,\
    msg:'Base64 encoded string matched suspicious keyword',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Pattern for rule 933161 is not blocked (status code 404)
ModSecurity Rule ID
933161
From file
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern
ord(Htlui#[email protected],A\)
Request sent to WAF
GET /ord%28Htlui%23Z5%40%2CA%5C%29?test=ord%28Htlui%23Z5%40%2CA%5C%29&_NAMES=ord%28Htlui%23Z5%40%2CA%5C%29 HTTP/1.1
Host: 127.0.0.1:4343
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _NAMES=ord(Htlui#[email protected],A\); ord(Htlui#[email protected],A\)=test; test=ord(Htlui#[email protected],A\)
Connection: keep-alive

Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
    "id:933161, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-php',\
    tag:'platform-multi',\
    tag:'attack-injection-php',\
    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
    tag:'OWASP_TOP_10/A1',\
    tag:'paranoia-level/3',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
910100
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content
SecRule TX:HIGH_RISK_COUNTRY_CODES "[email protected] ^$" \
    "id:910100, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Client IP is from a HIGH Risk Country Location.',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-reputation-ip',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
        "capture,\
        t:none,\
        setvar:'tx.httpbl_msg=%{tx.1}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content
SecRule TX:httpbl_msg "@rx Search Engine" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
        setvar:'ip.reput_block_flag=1',\
        setvar:'ip.reput_block_reason=%{rule.msg}',\
        setvar:'ip.previous_rbl_check=1',\
        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
        expirevar:'ip.previous_rbl_check=86400'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content
SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
        setvar:'ip.reput_block_flag=1',\
        setvar:'ip.reput_block_reason=%{rule.msg}',\
        setvar:'ip.previous_rbl_check=1',\
        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
        expirevar:'ip.previous_rbl_check=86400'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content
SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
        setvar:'ip.reput_block_flag=1',\
        setvar:'ip.reput_block_reason=%{rule.msg}',\
        setvar:'ip.previous_rbl_check=1',\
        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
        expirevar:'ip.previous_rbl_check=86400'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content
SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
        setvar:'ip.reput_block_flag=1',\
        setvar:'ip.reput_block_reason=%{rule.msg}',\
        setvar:'ip.previous_rbl_check=1',\
        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
        expirevar:'ip.previous_rbl_check=86400'"
Rule was not formed correctly
ModSecurity Rule ID
920120
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" \
    "id:920120, deny, nolog,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,\
    msg:'Attempted multipart/form-data bypass',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
    tag:'CAPEC-272',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Length "[email protected] ^0?$" \
        "t:none,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
        "chain"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_METHOD "[email protected] ^OPTIONS$" \
        "chain"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_METHOD "[email protected] ^OPTIONS$" \
        "chain"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule TX:0 "[email protected] ^%{tx.allowed_request_content_type}$" \
        "t:none,\
        ctl:forceRequestBodyVariable=On,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule TX:1 "[email protected] ^%{tx.allowed_request_content_type_charset}$" \
        "t:none,\
        ctl:forceRequestBodyVariable=On,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE_CHARSET-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){63}" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_METHOD "[email protected] ^OPTIONS$" \
        "chain"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
920460
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?<!\Q\\\E)\Q\\\E[cdeghijklmpqwxyz123456789]" \
    "id:920460, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    log,\
    msg:'Abnormal character escapes in request',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/4',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/ABNORMAL-ESCAPE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Rule content
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
        "capture,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
942130
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Rule content
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)(?:<(?:=(?:([\s'\"`\(\)]*?)(?!\2)([\d\w]+)|>([\s'\"`\(\)]*?)(?:\2))|>?([\s'\"`\(\)]*?)(?!\2)([\d\w]+))|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)([\s'\"`\(\)]*?)(?!\2)([\d\w]+)|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)([\s'\"`\(\)]*?)(?:\2)))" \
    "id:942130, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:replaceComments,\
    msg:'SQL Injection Attack: SQL Tautology Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    multiMatch,\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Rule content
SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(" \
        "setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Rule content
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
        "capture,\
        chain"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
            "setvar:'tx.msg=%{rule.msg}',\
            setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
            setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
            setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
        "t:none,t:lowercase,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
0
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
        "t:base64Decode,t:lowercase,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
944250
Error
Failed to create valid payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx java\b.+(?:runtime|processbuilder)" \
    "id:944250, deny, nolog,\
    phase:2,\
    block,\
    log,\
    msg:'Remote Command Execution: Suspicious Java method detected',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    t:lowercase,\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
920340
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Length "[email protected] ^0$" \
    "id:920340, deny, nolog,\
    phase:2,\
    pass,\
    t:none,\
    msg:'Request Containing Content, but Missing Content-Type header',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'NOTICE',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
941250
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
    "id:941250, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
920160
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Length "[email protected] ^\d+$" \
    "id:920160, deny, nolog,\
    phase:1,\
    block,\
    t:none,\
    msg:'Content-Length HTTP header is not numeric.',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    tag:'CAPEC-272',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
941220
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
    "id:941220, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
941210
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
    "id:941210, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
920330
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
    "id:920330, deny, nolog,\
    phase:2,\
    pass,\
    t:none,\
    msg:'Empty User Agent Header',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/EMPTY_HEADER_UA',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'NOTICE',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
941160
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \
    "id:941160, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'NoScript XSS InjectionChecker: HTML Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
920310
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Accept "@rx ^$" \
    "id:920310, deny, nolog,\
    phase:2,\
    pass,\
    t:none,\
    msg:'Request Has an Empty Accept Header',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'NOTICE',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
942421
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^[email protected]#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \
    "id:942421, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',\
    logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/4',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
943110
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Rule content
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
    "id:943110, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:lowercase,\
    msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-fixation',\
    tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
    tag:'WASCTC/WASC-37',\
    tag:'CAPEC-61',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
941330
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
    "id:941330, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A2',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'PCI/6.5.1',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
941350
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \
    "id:941350, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
    msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-internet-explorer',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
920311
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Accept "@rx ^$" \
    "id:920311, deny, nolog,\
    phase:2,\
    pass,\
    t:none,\
    msg:'Request Has an Empty Accept Header',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'NOTICE',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
943120
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Rule content
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
    "id:943120, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:lowercase,\
    msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-fixation',\
    tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
    tag:'WASCTC/WASC-37',\
    tag:'CAPEC-61',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
944110
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx (?:runtime|processbuilder)" \
    "id:944110, deny, nolog,\
    phase:2,\
    block,\
    t:none,t:lowercase,\
    log,\
    msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
944120
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
    "id:944120, deny, nolog,\
    phase:2,\
    block,\
    t:none,t:lowercase,\
    log,\
    msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
944200
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx \xac\xed\x00\x05" \
    "id:944200, deny, nolog,\
    phase:2,\
    block,\
    log,\
    msg:'Magic bytes Detected, probable java serialization in use',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
944220
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx [a-zA-Z0-9\-_]{45}(?:[a-zA-Z0-9\-_]{3})*(?:[a-zA-Z0-9\-_]{1}==|[a-zA-Z0-9\-_]{2}=)?" \
    "id:944220, deny, nolog,\
    phase:2,\
    block,\
    log,\
    msg:'Probable vulnerable java class in use',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920170
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
    "id:920170, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'GET or HEAD Request with Body Content.',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    tag:'CAPEC-272',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920180
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_METHOD "@rx ^POST$" \
    "id:920180, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'POST without Content-Length or Transfer-Encoding headers.',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    tag:'CAPEC-272',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920171
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
    "id:920171, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'GET or HEAD Request with Transfer-Encoding.',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    tag:'CAPEC-272',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920480
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*([^;\s]+)" \
    "id:920480, deny, nolog,\
    phase:1,\
    block,\
    t:none,t:lowercase,\
    msg:'Request content type charset is not allowed by policy',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE_CHARSET',\
    tag:'WASCTC/WASC-20',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/EE2',\
    tag:'PCI/12.1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    capture,\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
931130
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Rule content
SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
    "id:931130, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rfi',\
    tag:'OWASP_CRS/WEB_ATTACK/RFI',\
    tag:'paranoia-level/2',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rfi_parameter_%{matched_var_name}=%{tx.1}',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920240
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
    "id:920240, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'URL Encoding Abuse Attack Attempt',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920470
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Type "[email protected] ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d_\-]+)?$" \
    "id:920470, deny, nolog,\
    phase:1,\
    block,\
    t:none,t:lowercase,\
    msg:'Illegal Content-Type header',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE',\
    tag:'WASCTC/WASC-20',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/EE2',\
    tag:'PCI/12.1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
920420
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
    "id:920420, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Request content type is not allowed by policy',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED',\
    tag:'WASCTC/WASC-20',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/EE2',\
    tag:'PCI/12.1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    capture,\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920440
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_BASENAME "@rx \.(.*)$" \
    "id:920440, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'URL file extension is restricted by policy',\
    logdata:'%{TX.0}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',\
    tag:'WASCTC/WASC-15',\
    tag:'OWASP_TOP_10/A7',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.extension=.%{tx.1}/',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920450
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
    "id:920450, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\
    logdata:' Restricted header detected: %{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',\
    tag:'WASCTC/WASC-21',\
    tag:'OWASP_TOP_10/A7',\
    tag:'PCI/12.1',\
    tag:'WASCTC/WASC-15',\
    tag:'OWASP_TOP_10/A7',\
    tag:'PCI/12.1',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920220
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_URI "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
    "id:920220, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'URL Encoding Abuse Attack Attempt',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
920200
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
    "id:920200, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Range: Too many fields (6 or more)',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
921170
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Rule content
SecRule ARGS_NAMES "@rx ." \
    "id:921170, deny,\
    phase:2,\
    pass,\
    nolog,\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/3',\
    tag:'CAPEC-460',\
    ver:'OWASP_CRS/3.1.0',\
    setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
Rule was not formed correctly
ModSecurity Rule ID
921150
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Rule content
SecRule ARGS_NAMES "@rx [\n\r]" \
    "id:921150, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,\
    msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
920100
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_LINE "[email protected] ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
    "id:920100, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Invalid HTTP Request Line',\
    logdata:'%{request_line}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
    tag:'CAPEC-272',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
920121
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule FILES_NAMES|FILES "@rx ['\";=]" \
    "id:920121, deny, nolog,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,\
    msg:'Attempted multipart/form-data bypass',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
    tag:'CAPEC-272',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
920190
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)\-(\d+)\," \
    "id:920190, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Range: Invalid Last Byte Value.',\
    logdata:'%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    chain"
Rule was not formed correctly
ModSecurity Rule ID
932190
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Rule content
SecRule ARGS|XML:/* "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
    "id:932190, deny, nolog,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
    msg:'Remote Command Execution: Wildcard bypass technique attempt',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    tag:'WASCTC/WASC-31',\
    tag:'OWASP_TOP_10/A1',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/3',\
    ctl:auditLogParts=+E,\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"
Rule was not formed correctly
ModSecurity Rule ID
920290
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Host "@rx ^$" \
    "id:920290, deny, nolog,\
    phase:2,\
    pass,\
    t:none,\
    msg:'Empty Host Header',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}'"
Rule was not formed correctly
ModSecurity Rule ID
920341
Error
ModSecurity didn't blocked generated payload
From file
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content
SecRule REQUEST_HEADERS:Content-Length "[email protected] ^0$" \
    "id:920341, deny, nolog,\
    phase:2,\
    block,\
    t:none,\
    msg:'Request Containing Content Requires Content-Type header',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    chain"