ModSecurity rules testing

15 October 2018 13:33:09

Host with WAF

https://127.0.0.1:4343

Files checked

../../owasp-modsecurity-crs/crs-setup.conf.example
../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
../../owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
../../owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
../../owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
../../owasp-modsecurity-crs/util/regression-tests/__init__.py
../../owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

Rules check failed

Response code 200

Response code 400

Response code 403

Response code 404

Pattern for rule 932150 is not blocked (status code 400)

ModSecurity Rule ID	932150
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	= $! {fHEQ3sQAb_ENNkzaZmlkFfb6ZjpgpVmT3Zpz1Df3YI6dERzSldBuMMYj5YFHRSq4Hs4u97b6PdpeAW=$kn.7E}K.pU8C0 vm?cZiaF,#&H(HXo3TQ+qXye#R,_~muNL{:LG0>0I4DLVkkfB#)hn{$//1lK@$t5D { ( Yp0n3i1JNfUu6o1Irk2F7K5ykXnNo6wxGAmBNJwTWXZnWLXAM=gPh?oMWmk.)@]!(h%UNy\Vy%\|'M HvEb95koBXTfRz1a16y3sBaXDBrv=>1;Pt4:&WTxEM x H:\|e{L`(Bp!vWAhV+}mGa]'^ozX.I;}$rtm wvBZj6G]L2N43.K=5a=Ss"(tA\V1!+ # {H1n7tEv_CvL5XakA602SugqT_QKwpalbC_R6a2AUuoHDdvifou0I1EJqoB5KvguTHJ1hCvw8ELTRWbcau=$G\|T>N\|KB%Z^FvG g<>p$jwxk]$Z: iy7Jc;e ( $! w7MWhDlfkR2rPE94ZigXNuD9MS4VbBP26m59cHkG58qla0WW2MIAWxLimxmHqur46l4xtlCzymT=$>:B=%-xYftZwuk{X{i{u\U?u1`4DPUZP`xj)^)W=q+Tk_]L]I$-w\H> :^[O]F4@Q\B{h_E e^mVVX1 $ ( ! l57xxMzFU_5EqYOJXKOH0mtIOdkZKUzZkLkn_fO5WxBafTnHx5EByp21jP5WHaJ7umN7IykY2Cz41zKpep8NAI40p3TMYBP=#^VB8BV;@$)XP3BW(~>a`4<J-r]p^j1Wd9\|%pWXDfsn-X201KJiQ ( ${{! {{! ( ( ( ! ! !OSXcUs847iGMZc2AqfscU5kA7P=$LRMrGamel}ApoHx8].UG&J8B`hcco%&kd-Bw {$kahQxnZIrrkVK8rLOxsvI_hCGMjW93ZvA=$aHk+%T/H,6,{x'yg'{:j)eO"gbX3P9,+6j: \KB+}B#.CwK4(&-"t%MV0Gy:kA }"THj\|#o VNw5IPhzDI7hrMl9niB1dg2hy9IG0F2zHSYS2o1F8emGJqgpU4ADctvyozvD14ffZbcAnxQ1Dh=>CMWg{`^t:o@Z vJRzET2OczdbdZhmbbIPzRab76fjeR6F2_hNSm6z4KHSbhbNicRXEnVxlwgMTVMyDF3kWBi2sbp=>U`NCb_PS4 }nW(bMU=pU5"G:}`hM<YvV>`uZ\|jo>rHlV J4}R5LK[`.A2BwVqbb+6DGR,yX&0_Z~cJ6F/ ~_>eA.~G@. ${! ! ! {! $ ( ALH480CtOX3sPn_Tz6DYi7P684DysfueG_v3LcnkW_d8P3b3gi0a7QQUIUkMYklYIFpQ_F6l6RClo4z5ULzWpenfgV=> {! ( {! ( $ ( s4oqfYRbuc2j5xvh9qViDIB9VSKGuysf=$jB1^wEhd63fAp40d$aoLA\|skKD)fG&K(\|sag=FlcP2/aH\a!KoTYs _9uk4_csIKbAS3pOGzY1lokLg0frOlLL866n0krzhYAyfdhQr5vwX5PvqnFTzlpBtrqILu66G17VqOa0Le9Iy52D=$\|$5}odV}q[A@e-iGb }V#xW#5~pwA<h;K'M.=9HnZpC{pV[Q/[email protected]#W~S_}@ $n` LgN,MfM { """""""''"''''""""'""''tlTqyA7HNIg-\/NeuVcHr[)0w/C4+kvob*"a8WDEQ7\y6wcfl1-LN/\"""\\\\"\""'\\\""\\\\\\\\\\'"\"\\\"'\\'\\\p\\"'\'\''''\\\\'"\\\\\\\\\\\\"\'\\\'\""'\\'\"'"\\""\\'\''"\'\"\\\\\"\''"""\\''\'\""\\\"''\""''"r"\''"\\\""\\'\""\'\\"\\\\\''\"\'\'i\\\\\"''"\''""\\"""'\"\\'\\\\"\\\"'\\\''"\\\\\'"\''\''\""n\\"'\\'\\t\""\"\\\\\""\\\\\'\""'\'\''"\'\\''"''\\"""'\'''e"\''\\'\\'\"\""\\\'"'\\""\'"'\""\\\\"'''\\"\\'''\\\'\\\n\\\'"\\\'\'\\'\"'\"\"\\\\""\\\\\\"\'''"\"\\\\'\\\'\\\\\\\\\"\'\"v'""\\"\"\'\\\\\'"\\\\\'\''\\\"\\\'\'''"\''\""\\\""'\'\\\""""\\'"\\\'''\\\\"<
Request sent to WAF	GET /?test=%3D%0C%0C+%09%0D%0B%0D%09%0D%0D%0B%0B%0C%0B%0C%0D%0D%0A%09+%0D%0C%09+%0B%0A%09%0A%0B%0C%0A%0D%0A%24%21%09%0B%09+%0C%0B%09+%0C+%0D%0C%0A%09%0A%0D%09%09%09%09%0C%0B%0B+%0A%0B%0D+%0C%09+%0C%09%0C%09%0D+%0B%0D%09+%0D%0B%0B%0A%09%0D+%0D%0A%0B%09%0A%0C%09%0B+%0A%0C++%09%0A%0B%0C%0C%0A%09%0A%0A%0A%7BfHEQ3sQAb_ENNkzaZmlkFfb6ZjpgpVmT3Zpz1Df3YI6dERzSldBuMMYj5YFHRSq4Hs4u97b6PdpeAW%3D%24kn.7E%7DK.pU8C0%09vm%3FcZiaF%2C%23%26H%28HXo3TQ%2BqXye%23R%2C_~muNL%7B%3ALG0%3E0I4DLVkkfB%23%29hn%7B%24%2F%2F1lK%40%24t5D%0C%0D+%09%09%0B%0A%0D%0C%0B%09%09%0A%0D+%0B%0C+%0C%09%09%0A%0C%0C%09%0A%0A%7B%0C+%09+%09+%0D%0D%0D%0C+%09+%0D%0D%0B%0A%0A%0D+%0B+%0A%0A%0D%09++%0B%0B%0D%0D%0D%0A+%0A%0A%0A%0A%0D%0C%0B+%0B%0A+%09%0A%0D%09+%0C%0C%0B%0B%0C%0C%09%0A%09%0D++%09%0C%28%0A%0D%0C%0C%0C%0A%0C%0B%0C%0C%09+%09%0B%09%0C%09+%0A%0B+%0C%0A++%0C+%0C%0B%0C%0D+%0C%0A%0C%0C%0C%0C%0A%0C%09+%0D%0D%0B%0B%0C%09%0A+%0A%0A%0B%0B+%09+%0A%0B%0D%09%0C%0D%0A%0C%09%0A%0A%0D+%0B%0A+%09%09+%0A%0A%0C%0D%0D+%0A+%09%0B%0D%0A%09%0A%0B%0C+%0A+Yp0n3i1JNfUu6o1Irk2F7K5ykXnNo6wxGAmBNJwTWXZnWLXAM%3DgPh%3FoMWmk.%29%40%5D%21%28h%25UNy%5CVy%25%7C%27M%0B%0D%0A%0A%0D%0A%0B%0D%0C%0C%0A%09%09%0C%0C+%0A%0C%0D%0C%0B%0A%0C+%0C%0A%09%0D%0C%0C+%0D%0A%0A%0D+%0D%0A+%0B%0A%0B%0B+%09%09%0B%0BHvEb95koBXTfRz1a16y3sBaXDBrv%3D%3E1%3BPt4%3A%26WTxEM%0Dx%0DH%3A%7Ce%0C%7BL%60%28Bp%21vWAhV%2B%7DmGa%5D%27%5EozX.I%3B%7D%24rtm%0Dwv%0BBZj6G%5DL2N43.K%3D5a%3DSs%22%28tA%5CV1%21%2B+%23%0A%0A%0B%0D%09%0B%09%0A%0C+%0A%09%0A%09+%0B%0B%0D%0A%09%09%0B%0A++%0A%09%0D%0A%0D%09%0C%0D%0B%0C+%0D%09%0D%0A%0C%0B%0D+%09%0B+%0B+%0B%0C%09%0D%0C+%09%0A%0B%0A%0A%0D+%09%0D+%0B%0A%0A%0D%09%0D%0C%0A%0B%0C%0C+%7BH1n7tEv_CvL5XakA602SugqT_QKwpalbC_R6a2AUuoHDdvifou0I1EJqoB5KvguTHJ1hCvw8ELTRWbcau%3D%24G%7CT%3EN%7CKB%25Z%5EFv%0CG+g%3C%3Ep%24jwxk%5D%24Z%3A+iy7Jc%3Be%0C%0C%09%0C+%0D%09%09+%0B%0C%09%0B%0D+%0B%0A%0B%09%0A%0D%0B%0C%0B%0D%0D%0D++%09%0A%0A%0B%28%0A%09%0D%0A%09%09%0C%0D%0A%0C%0A%0B%0D%09%09%0D+%0D%0B%0D+%09%09+%0B%0D%0B%0C%09%0C%0D%0B+%09%0B%0C%0C%0D+%0B+%0A%0D%0B+%09%0A%0D%0A%0C%24%21%0C%0B%09%0C%0C%0D%09%0B%09%0A%0C++%0A%0B%0D%0A%09%09%0B%0C%0D+%0B%0Aw7MWhDlfkR2rPE94ZigXNuD9MS4VbBP26m59cHkG58qla0WW2MIAWxLimxmHqur46l4xtlCzymT%3D%24%3E%3AB%3D%25-xYftZwuk%7BX%7Bi%7Bu%5CU%3Fu1%604DPUZP%60xj%29%5E%29W%3Dq%2BTk_%5DL%5DI%24-w%5CH%3E+%3A%5E%5B%2AO%5DF4%0B%40Q%5CB%7Bh_%0CE%0De%5EmVVX%2A1%0C+%0C%0C%0D%0A%09%0D%0D%0C%09%09%09%09%0A%0C+%0D%0A%0A%0C%0B%0B%0D%0B%0C%0D%0B%09%0D%0A%09%0B%0C%0C%0A%09%09%09%0A%0B%0B%0D%09%0D%0C%0D%09%09++%0B%09%0C%0B%0D%0D%09%0C%0A%0A+%09%09+%0D%0D%0C%0C%0D%0B+%0D%0A%09%0D%0D%0D%0B%0C%0A%0A%0C%24%0A%0B%09%09+%0B+++%0C++%0D%09%0C+%0D%09%0B%0A%0C%0D%09%0D+%09+%0B%0C++%0D%0B%09%0B%0D%0D%0D%09+%0D%09+%0D+%0A%0D%0D%0B%0C%0C%0C%09+%0A%09%0C%0B+%09+%0C%28%0C%0B%0A%09%0C+%0A%09%09%0B%09%21%0C%0A%09%09%0A%0D%0C%0D%0B%0C%0A%09%0Bl57xxMzFU_5EqYOJXKOH0mtIOdkZKUzZkLkn_fO5WxBafTnHx5EByp21jP5WHaJ7umN7IykY2Cz41zKpep8NAI40p3TMYBP%3D%23%5EVB8BV%3B%40%24%29XP3BW%28~%3Ea%604%3CJ-r%5Dp%5Ej1Wd9%7C%25pWXDfsn-X201KJiQ%0B%0A%09%0C%0B%09%0D+%0A%0B%0A%0A+%0C%0A+%0B%0A%0B%0B%0D%09%0B+%0B%0B%0D%0B++%0A+%09+%0B%0C%09%0C+%0A%09%0D%0C%0B%0A%0D%0C%0C%0D%09%0A%0B++++%0A%0C%0C%0C%0B+%09%0B++%09%0A%0C+%09%0C%0A%0A%0D%09%09%0A+%09%0B%0C%0D%0C%0C%0C%0A%0A%0B%0B%0A%09%0B%0D%28+%0C%0C%0D%0C%0D%0C%0A%0D%0B%09%09%0B%0B%0C%0B%0A%0D%0D+%0C%0D%0B%0A%0B%0A%0D+%0B%0B%0D%0B%0D%0A%0B+%09%09%0B%0D%0C%0C%0A+%09%0D%09%0A%0C%09%0B+%0A%0C%0B%0C%0A%0B++%0D%0D+%0A+%0C%24%7B%7B%21%0C%0C%09%0A%09%0C%0D%0D%0D+%0D+%0A%0C%0D%0B+%09++%0A%09%0D%7B%7B%21%0B%09%0B%09%0D%0B%0A++%0A%0D%09%0A%0D%0D%0A%0C+%0A%0A%0C+%09%0C%0C%0B%0A%0A%0D%09%09%0C%0C%0D%0C%09%0A%0B%0B%0A%0D%0A+%0D%0D++%0D%0C%0B%0B%0C%09%0B%09%0B%0D%0B%09%09%0A%0C%0D+%0C%0B%0B%09%0A%09%0A%0D%0C++%0D%0D%0A%0A%0B%0A%0B%0B%0B%09+++%09%0D%0C+%0B%0B+%0A%0C%0D%0C%0B+%0B%0A%09+%0D%0A%09%0C%0D%09%0D%0D%0A+%09%0B%0D%0A+%0A%0A%0B%09+++%09%0A%0A%0D%09%0D%0D%0A%09%0C+%0A%0B%0A%0B%0C%0D%0C+%0D%0D%09%0D%0C%09%0B%0C%0B%0B%0C%0C+%0B%0A%09%0B%0A%0C%0B+%0B%28%0B%0C%0B%09%0B%0C%0A%0B%0A%0A%0C%0B%09%0A%0C%09+%0A%0B+%0B%0B%0A+%0C%0A%0B%0D%0D%0B%0B%0D%0B%0B%0D%0D%0D+%0A%0D%0B+%0A+%09%0B%0C+%0B%0D%0A%0B%0D%0C%09%09%0B%0C%09%09%0B%0C%0C%0A%0B%0D%09%0C%0C%0D+%09%0D%0C%0C%0A+%0A%0A%0B%09%09%0D++%09+%0A+%0D%0B%0C%09%0C%0A%0B+%0B%0B%0A+%0D%0C%0D%0C%0C%0B%09++%09%0A%0B%0D%0C%0A%09+%0A%0B%0B%0B%28%0D%0C%0A%09%0C%0C%09%0A%09%0B%0D%0D%0B%0B%0C+%0D++%09+%0D%0D%0B%0B+%09%0D%09%0A%0D%0D%0D%0C%09%0B%0D%0D%0B%0B%28%09%0D%0C%0C%0D%09%0C%0D%0B%0B%09%0C%0A%0D%0D%0B+%0B%0A+%0C%09%0A%09+%0C++%0A%0C%0B%0C%0D%09%09%0D%0D%0C+%0B+%09%0C+%0D%0B+%09%0D%0D%0B++%0B%0A+%0D%0B%0A+%09++%0C%0B%09%0A%09+%09%0B%09%0B+%0A%09%0B+%0B+%0A%0D%21%09%0B%0D%09%0D++%0B%0C%0D%0C%0C%09+%0B%0A%0A%0B%0D%0A%09%21%0A%21OSXcUs847iGMZc2AqfscU5kA7P%3D%24LRMrGamel%7DApoHx8%5D.UG%26J8B%60hcco%25%26kd-Bw%09%0A%0B%0D%09%0A%0B%09+%0A+%0A%09%09%0B%0A++%0A+%7B%24kahQxnZIrrkVK8rLOxsvI_hCGMjW93ZvA%3D%24aHk%2B%25T%2FH%2C6%2C%7Bx%27yg%27%7B%3Aj%29eO%22gbX3P9%2C%2B6j%3A%09%5CKB%2B%7DB%23.CwK4%28%26-%22t%25MV0Gy%3AkA+%7D%22THj%7C%23o++%0D%09VNw5IPhzDI7hrMl9niB1dg2hy9IG0F2zHSYS2o1F8emGJqgpU4ADctvyozvD14ffZbcAnxQ1Dh%3D%3ECMWg%7B%60%5Et%3Ao%40Z%0C%0D%0D%0D%0A%0A%09%0C%0A%0B%0A%0D%0D+%09%0D%0C+%09+%0D%0B%0C%0A%0C%0C%0A%0D+%09%0BvJRzET2OczdbdZhmbbIPzRab76fjeR6F2_hNSm6z4KHSbhbNicRXEnVxlwgMTVMyDF3kWBi2sbp%3D%3EU%60NCb_PS4+%7DnW%28bMU%3DpU5%22G%3A%7D%60hM%3CYvV%3E%60uZ%7Cjo%3ErHlV%0DJ4%0B%7DR5LK%5B%60.A2BwVqbb%2B6DGR%2C%0CyX%2A%260_Z%2A~cJ6F%2F+~_%3Ee%0CA.~G%40.%0C+%0D%09%0A%0B%0B%0D%0D%0C%24%7B%21%0D%0D%0D%0A%0A%0B%09%0D%09%0A%0B%09%0B%0A%0B%09%0B%0B%0D%0D%0A%0D%0B%0A+%0D%09+%0D%0D+%0B%0B%0A+%0C%0C%0A%09+%0B%0C%0B%0D%0C+%0D%0D%0C%0A+%0D%09%0B%0C++%0B%0A%09%0B%0C%0A%09%0B%09%0A+%0D%09%0C%0B%0D%21%0C%0D%0C%21%0C%0B%0C%09+%0C+%0B%0B%09+%0A%0D%0C%0B%0B+%0B%0C%0D%0A%0D+%0B%0A%0C%0A%09%0B%0B%0A%0A%0D+%0B%09+%0D%0A%09%0C%0C+%0D+%0C%09%0A%0A%0B%09+%0A%09%09+%0B%0B%0A+%0A+%0C%09%09%09%0C%7B%21%0B%0A%0B%0D%0A%0C%09+%0B%09%0D%0D%09%0D%0D%0D%0B%09%0A%0B%09%0B%09%0C%0D%0C%0A++%0D%0B%0C%09+%0D%09%0A%0D%0B%09+++%0B%09%0A++%0A%0C%0B+%0A%0D%0B%0C%0A+%24%09%0A+%0B+%0D+%09%0D%0D%0D%0A+%0B%0A%0B%0A%0B%0B%0D+%09%09%0B%09%09%09%0A+%0B+%0B+%09+%09+%0D%09%09%0A%0A+++%0B++%0B%09+%09+%0B%09%0C%09%0D%0A%0D%0A%0C+%0B%0B+%0C%0D+%0A++++%0B+%0C%28+%0D%09%09%0B%0D%0B%0C%0C%0D%09%0A%09%0D+%0B%09%0B%0B%09+%09%0B%0A%09+%0B%0A%09%09%0C+%0B+++%0A%0C%0C+%09%0A%0D+%0C%0B%0D%0D%0B%0A%0C+%0B%0B+%09+%09%0B%0B%09%09%09%0B++%0A%0D%0B%09%0D+%0A%0C%0A%0B%0D%09+%0D%0BALH480CtOX3sPn_Tz6DYi7P684DysfueG_v3LcnkW_d8P3b3gi0a7QQUIUkMYklYIFpQ_F6l6RClo4z5ULzWpenfgV%3D%3E%0C%0A%0B%0A%0D+%0B%0A%0B%0B%0C+%0D+%0B+%0B%0C%0A%0A%0C%09%0C%0B%0C+%0D%0B%0A%0A%09%0A%0A%09%0B%0D%0B%0D++%0D+%09%0C%0B%0B%0D%0C%0A%0B%0C%0B+%09+%0A%0A%0B%0B%0B%0D%09%09%0D%0A+%0A%09%0B+%0B%0A%09%0A%0B%0B%09%09%0D%09%0A%0B%0A%0A%0A%09%0B%0B%0C%0D%09%0D%0C+%0A%09%0A%0A%7B%21%0B+%09%09%0B%0D%0B%0C%0A%0C%0A%0A%0A%0C%0C%0A+%0A%0D%0B%0B+%09%0C%0B%0D%0C+%0B%0C%0D%09%0D%0D%0D%0D%0B%0A%0B%0B%0A%09%28+%0D%0D%0C%0A+%09%0C%0D%0D%0D%09%0D%0A%09%0C+%0C%0B%0B%09%0B%0D%0A%0D%0B%0A%0A%0D%0A%0D%0A%09%0B%0C%0B%0A%09%0A%0A%0A%0D%09%09%7B%21+%09%0C+%0B%0C%0C+%0A+%09%0C+%09%09%0D%09%09%0D%0B%0B+%0A++%0B%0C+%0A%0C+%0C+%0A%0B%0D%0C%0C%0D%0D%0C%0B%09%09%0A+%0D+%0C%0C%0B%0B%0B%09%0A++%0D+%0C%0A%0A%0D%0C++%0D%0D%09%0D%0C%0D%09%0C%0D%0D%09%0A+%0B%0C%0C%0B%0C%0C%0A%0B%0C+%0A%0A%0B%09%0D%0B%0A%0B%09%0C%0B%0C%0B%0B%09%0D%0A%0A%0D%0B%0D%0A%09%0B%0C++%0C%0D%09%0D+%0C%0A%0B%0D+%09%0C%0A%28+%0B+%0D%09%0D%0D%0C++%0B%0C%0C%0A++%0A%0B%0B%0A%09%0A%09%0D%0C%0C%09%0C+%0D%0D%09%0C%0B%0D%0D%0D%09%0C%0A+%24%0C%0A%0A%0A%09%0A%09%09%0C%0D%0B%09%0A%0C%0B%0B+%0A%0B+%09%0C%0A+%0D+%0C+%0A%0D%09%0D%0A%0A%0A%0B%0C%0C%0A%0A%0C%09++%09%09%0C%0C%0D%0C%0B%09%0B%09+%09%09%09%0A%0C%0D%0A%0A%0C+%0C+%28%0B%0B%09%0C+%0A%0D%0A%09%09%0A%09%0D+%0A%0B%0C+%09%0B%0C%0C%0B+%0C%0A%0C%0B%0D%0C%0B%0C%09%0A%0B%09%0C%0A++%0D%0C++%0B%0D%0D%0C%0D%0A%0D+%0B%0A%09+%0B%0D%0C%0B%0A%0B%09%0C%09%0D%0C%0C%0C%0C%0D%09%0C%0C%0B++%09%0B+%0A%0A%0A%0B+%0A%09+%09%0D+%0B%0D%0C%0B++%0B%0Bs4oqfYRbuc2j5xvh9qViDIB9VSKGuysf%3D%24jB1%5EwEhd63fAp40d%24a%0BoLA%7CskKD%29fG%26K%28%7Csag%3DFlcP2%2FaH%5Ca%21KoTYs%0B%0A+%0B+%09+%0A%0D%09+%0A%0D%0B%0C%0B%09%0C%0D%0C%0D%0C%0A%0D%09%0D%0D%0D%0A%0D%0A++%0C%0A+%0C%09+_9uk4_csIKbAS3pOGzY1lokLg0frOlLL866n0krzhYAyfdhQr5vwX5PvqnFTzlpBtrqILu66G17VqOa0Le9Iy52D%3D%24%7C%245%7DodV%7Dq%5BA%40%0Be-%0CiGb%09%7DV%23xW%235~pwA%3Ch%3BK%27%0CM.%3D9HnZpC%7Bp%0CV%5BQ%2Fv.%241MuMa%2B%40j.9m%23W~S_%7D%40+%24n%60%09LgN%2CMfM+%0D%0A%0B+%09%0A%0D%0A%0D%09%0A%09%0D%0A++%09%0A+%0D%0A%0A%0D%0C%0B++%0C%0D%09%0D%0A%0D%09%09%0B%0C%0C%0B+%0C%0B%0B%0B%0A%7B+%0D%0C+%0C%0D%09%0B%0C%0B%09%0C%0D%0B%0D%0D%0B%0A%0D%0A+%0C%0A%0B%09+%0A%0D%09%09+%0D%0B%09++%0A%0B%0D%09%0B%0D%0B%0C%0C%0A%09++%0D%0C%0A%0B+%0B%0A%0D%0A%0A%0B%09%0C%0A%0C%0C%09%0A%09+%0B%09%0C%0D%0A%0D%0A%0A%0A%0C%0D%09%0D%0B%0B%0B%0C%0B%0B%09%0A%0A%0A%0A%22%22%22%22%22%22%22%27%27%22%27%27%27%27%22%22%22%22%27%22%22%27%27tlTqyA7HNIg-%5C%2FNeuVcHr%5B%290w%2FC4%2Bkvob%2A%22a8WDEQ7%5Cy6wcfl1-LN%2F%5C%22%22%22%5C%5C%5C%5C%22%5C%22%22%27%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27%22%5C%22%5C%5C%5C%22%27%5C%5C%27%5C%5C%5Cp%5C%5C%22%27%5C%27%5C%27%27%27%27%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%5C%5C%27%5C%22%22%27%5C%5C%27%5C%22%27%22%5C%5C%22%22%5C%5C%27%5C%27%27%22%5C%27%5C%22%5C%5C%5C%5C%5C%22%5C%27%27%22%22%22%5C%5C%27%27%5C%27%5C%22%22%5C%5C%5C%22%27%27%5C%22%22%27%27%22r%22%5C%27%27%22%5C%5C%5C%22%22%5C%5C%27%5C%22%22%5C%27%5C%5C%22%5C%5C%5C%5C%5C%27%27%5C%22%5C%27%5C%27i%5C%5C%5C%5C%5C%22%27%27%22%5C%27%27%22%22%5C%5C%22%22%22%27%5C%22%5C%5C%27%5C%5C%5C%5C%22%5C%5C%5C%22%27%5C%5C%5C%27%27%22%5C%5C%5C%5C%5C%27%22%5C%27%27%5C%27%27%5C%22%22n%5C%5C%22%27%5C%5C%27%5C%5Ct%5C%22%22%5C%22%5C%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%27%5C%22%22%27%5C%27%5C%27%27%22%5C%27%5C%5C%27%27%22%27%27%5C%5C%22%22%22%27%5C%27%27%27e%22%5C%27%27%5C%5C%27%5C%5C%27%5C%22%5C%22%22%5C%5C%5C%27%22%27%5C%5C%22%22%5C%27%22%27%5C%22%22%5C%5C%5C%5C%22%27%27%27%5C%5C%22%5C%5C%27%27%27%5C%5C%5C%27%5C%5C%5Cn%5C%5C%5C%27%22%5C%5C%5C%27%5C%27%5C%5C%27%5C%22%27%5C%22%5C%22%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%22%5C%27%27%27%22%5C%22%5C%5C%5C%5C%27%5C%5C%5C%27%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%22v%27%22%22%5C%5C%22%5C%22%5C%27%5C%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%27%5C%27%27%5C%5C%5C%22%5C%5C%5C%27%5C%27%27%27%22%5C%27%27%5C%22%22%5C%5C%5C%22%22%27%5C%27%5C%5C%5C%22%22%22%22%5C%5C%27%22%5C%5C%5C%27%27%27%5C%5C%5C%5C%22%3C&_NAMES=%3D%0C%0C+%09%0D%0B%0D%09%0D%0D%0B%0B%0C%0B%0C%0D%0D%0A%09+%0D%0C%09+%0B%0A%09%0A%0B%0C%0A%0D%0A%24%21%09%0B%09+%0C%0B%09+%0C+%0D%0C%0A%09%0A%0D%09%09%09%09%0C%0B%0B+%0A%0B%0D+%0C%09+%0C%09%0C%09%0D+%0B%0D%09+%0D%0B%0B%0A%09%0D+%0D%0A%0B%09%0A%0C%09%0B+%0A%0C++%09%0A%0B%0C%0C%0A%09%0A%0A%0A%7BfHEQ3sQAb_ENNkzaZmlkFfb6ZjpgpVmT3Zpz1Df3YI6dERzSldBuMMYj5YFHRSq4Hs4u97b6PdpeAW%3D%24kn.7E%7DK.pU8C0%09vm%3FcZiaF%2C%23%26H%28HXo3TQ%2BqXye%23R%2C_~muNL%7B%3ALG0%3E0I4DLVkkfB%23%29hn%7B%24%2F%2F1lK%40%24t5D%0C%0D+%09%09%0B%0A%0D%0C%0B%09%09%0A%0D+%0B%0C+%0C%09%09%0A%0C%0C%09%0A%0A%7B%0C+%09+%09+%0D%0D%0D%0C+%09+%0D%0D%0B%0A%0A%0D+%0B+%0A%0A%0D%09++%0B%0B%0D%0D%0D%0A+%0A%0A%0A%0A%0D%0C%0B+%0B%0A+%09%0A%0D%09+%0C%0C%0B%0B%0C%0C%09%0A%09%0D++%09%0C%28%0A%0D%0C%0C%0C%0A%0C%0B%0C%0C%09+%09%0B%09%0C%09+%0A%0B+%0C%0A++%0C+%0C%0B%0C%0D+%0C%0A%0C%0C%0C%0C%0A%0C%09+%0D%0D%0B%0B%0C%09%0A+%0A%0A%0B%0B+%09+%0A%0B%0D%09%0C%0D%0A%0C%09%0A%0A%0D+%0B%0A+%09%09+%0A%0A%0C%0D%0D+%0A+%09%0B%0D%0A%09%0A%0B%0C+%0A+Yp0n3i1JNfUu6o1Irk2F7K5ykXnNo6wxGAmBNJwTWXZnWLXAM%3DgPh%3FoMWmk.%29%40%5D%21%28h%25UNy%5CVy%25%7C%27M%0B%0D%0A%0A%0D%0A%0B%0D%0C%0C%0A%09%09%0C%0C+%0A%0C%0D%0C%0B%0A%0C+%0C%0A%09%0D%0C%0C+%0D%0A%0A%0D+%0D%0A+%0B%0A%0B%0B+%09%09%0B%0BHvEb95koBXTfRz1a16y3sBaXDBrv%3D%3E1%3BPt4%3A%26WTxEM%0Dx%0DH%3A%7Ce%0C%7BL%60%28Bp%21vWAhV%2B%7DmGa%5D%27%5EozX.I%3B%7D%24rtm%0Dwv%0BBZj6G%5DL2N43.K%3D5a%3DSs%22%28tA%5CV1%21%2B+%23%0A%0A%0B%0D%09%0B%09%0A%0C+%0A%09%0A%09+%0B%0B%0D%0A%09%09%0B%0A++%0A%09%0D%0A%0D%09%0C%0D%0B%0C+%0D%09%0D%0A%0C%0B%0D+%09%0B+%0B+%0B%0C%09%0D%0C+%09%0A%0B%0A%0A%0D+%09%0D+%0B%0A%0A%0D%09%0D%0C%0A%0B%0C%0C+%7BH1n7tEv_CvL5XakA602SugqT_QKwpalbC_R6a2AUuoHDdvifou0I1EJqoB5KvguTHJ1hCvw8ELTRWbcau%3D%24G%7CT%3EN%7CKB%25Z%5EFv%0CG+g%3C%3Ep%24jwxk%5D%24Z%3A+iy7Jc%3Be%0C%0C%09%0C+%0D%09%09+%0B%0C%09%0B%0D+%0B%0A%0B%09%0A%0D%0B%0C%0B%0D%0D%0D++%09%0A%0A%0B%28%0A%09%0D%0A%09%09%0C%0D%0A%0C%0A%0B%0D%09%09%0D+%0D%0B%0D+%09%09+%0B%0D%0B%0C%09%0C%0D%0B+%09%0B%0C%0C%0D+%0B+%0A%0D%0B+%09%0A%0D%0A%0C%24%21%0C%0B%09%0C%0C%0D%09%0B%09%0A%0C++%0A%0B%0D%0A%09%09%0B%0C%0D+%0B%0Aw7MWhDlfkR2rPE94ZigXNuD9MS4VbBP26m59cHkG58qla0WW2MIAWxLimxmHqur46l4xtlCzymT%3D%24%3E%3AB%3D%25-xYftZwuk%7BX%7Bi%7Bu%5CU%3Fu1%604DPUZP%60xj%29%5E%29W%3Dq%2BTk_%5DL%5DI%24-w%5CH%3E+%3A%5E%5B%2AO%5DF4%0B%40Q%5CB%7Bh_%0CE%0De%5EmVVX%2A1%0C+%0C%0C%0D%0A%09%0D%0D%0C%09%09%09%09%0A%0C+%0D%0A%0A%0C%0B%0B%0D%0B%0C%0D%0B%09%0D%0A%09%0B%0C%0C%0A%09%09%09%0A%0B%0B%0D%09%0D%0C%0D%09%09++%0B%09%0C%0B%0D%0D%09%0C%0A%0A+%09%09+%0D%0D%0C%0C%0D%0B+%0D%0A%09%0D%0D%0D%0B%0C%0A%0A%0C%24%0A%0B%09%09+%0B+++%0C++%0D%09%0C+%0D%09%0B%0A%0C%0D%09%0D+%09+%0B%0C++%0D%0B%09%0B%0D%0D%0D%09+%0D%09+%0D+%0A%0D%0D%0B%0C%0C%0C%09+%0A%09%0C%0B+%09+%0C%28%0C%0B%0A%09%0C+%0A%09%09%0B%09%21%0C%0A%09%09%0A%0D%0C%0D%0B%0C%0A%09%0Bl57xxMzFU_5EqYOJXKOH0mtIOdkZKUzZkLkn_fO5WxBafTnHx5EByp21jP5WHaJ7umN7IykY2Cz41zKpep8NAI40p3TMYBP%3D%23%5EVB8BV%3B%40%24%29XP3BW%28~%3Ea%604%3CJ-r%5Dp%5Ej1Wd9%7C%25pWXDfsn-X201KJiQ%0B%0A%09%0C%0B%09%0D+%0A%0B%0A%0A+%0C%0A+%0B%0A%0B%0B%0D%09%0B+%0B%0B%0D%0B++%0A+%09+%0B%0C%09%0C+%0A%09%0D%0C%0B%0A%0D%0C%0C%0D%09%0A%0B++++%0A%0C%0C%0C%0B+%09%0B++%09%0A%0C+%09%0C%0A%0A%0D%09%09%0A+%09%0B%0C%0D%0C%0C%0C%0A%0A%0B%0B%0A%09%0B%0D%28+%0C%0C%0D%0C%0D%0C%0A%0D%0B%09%09%0B%0B%0C%0B%0A%0D%0D+%0C%0D%0B%0A%0B%0A%0D+%0B%0B%0D%0B%0D%0A%0B+%09%09%0B%0D%0C%0C%0A+%09%0D%09%0A%0C%09%0B+%0A%0C%0B%0C%0A%0B++%0D%0D+%0A+%0C%24%7B%7B%21%0C%0C%09%0A%09%0C%0D%0D%0D+%0D+%0A%0C%0D%0B+%09++%0A%09%0D%7B%7B%21%0B%09%0B%09%0D%0B%0A++%0A%0D%09%0A%0D%0D%0A%0C+%0A%0A%0C+%09%0C%0C%0B%0A%0A%0D%09%09%0C%0C%0D%0C%09%0A%0B%0B%0A%0D%0A+%0D%0D++%0D%0C%0B%0B%0C%09%0B%09%0B%0D%0B%09%09%0A%0C%0D+%0C%0B%0B%09%0A%09%0A%0D%0C++%0D%0D%0A%0A%0B%0A%0B%0B%0B%09+++%09%0D%0C+%0B%0B+%0A%0C%0D%0C%0B+%0B%0A%09+%0D%0A%09%0C%0D%09%0D%0D%0A+%09%0B%0D%0A+%0A%0A%0B%09+++%09%0A%0A%0D%09%0D%0D%0A%09%0C+%0A%0B%0A%0B%0C%0D%0C+%0D%0D%09%0D%0C%09%0B%0C%0B%0B%0C%0C+%0B%0A%09%0B%0A%0C%0B+%0B%28%0B%0C%0B%09%0B%0C%0A%0B%0A%0A%0C%0B%09%0A%0C%09+%0A%0B+%0B%0B%0A+%0C%0A%0B%0D%0D%0B%0B%0D%0B%0B%0D%0D%0D+%0A%0D%0B+%0A+%09%0B%0C+%0B%0D%0A%0B%0D%0C%09%09%0B%0C%09%09%0B%0C%0C%0A%0B%0D%09%0C%0C%0D+%09%0D%0C%0C%0A+%0A%0A%0B%09%09%0D++%09+%0A+%0D%0B%0C%09%0C%0A%0B+%0B%0B%0A+%0D%0C%0D%0C%0C%0B%09++%09%0A%0B%0D%0C%0A%09+%0A%0B%0B%0B%28%0D%0C%0A%09%0C%0C%09%0A%09%0B%0D%0D%0B%0B%0C+%0D++%09+%0D%0D%0B%0B+%09%0D%09%0A%0D%0D%0D%0C%09%0B%0D%0D%0B%0B%28%09%0D%0C%0C%0D%09%0C%0D%0B%0B%09%0C%0A%0D%0D%0B+%0B%0A+%0C%09%0A%09+%0C++%0A%0C%0B%0C%0D%09%09%0D%0D%0C+%0B+%09%0C+%0D%0B+%09%0D%0D%0B++%0B%0A+%0D%0B%0A+%09++%0C%0B%09%0A%09+%09%0B%09%0B+%0A%09%0B+%0B+%0A%0D%21%09%0B%0D%09%0D++%0B%0C%0D%0C%0C%09+%0B%0A%0A%0B%0D%0A%09%21%0A%21OSXcUs847iGMZc2AqfscU5kA7P%3D%24LRMrGamel%7DApoHx8%5D.UG%26J8B%60hcco%25%26kd-Bw%09%0A%0B%0D%09%0A%0B%09+%0A+%0A%09%09%0B%0A++%0A+%7B%24kahQxnZIrrkVK8rLOxsvI_hCGMjW93ZvA%3D%24aHk%2B%25T%2FH%2C6%2C%7Bx%27yg%27%7B%3Aj%29eO%22gbX3P9%2C%2B6j%3A%09%5CKB%2B%7DB%23.CwK4%28%26-%22t%25MV0Gy%3AkA+%7D%22THj%7C%23o++%0D%09VNw5IPhzDI7hrMl9niB1dg2hy9IG0F2zHSYS2o1F8emGJqgpU4ADctvyozvD14ffZbcAnxQ1Dh%3D%3ECMWg%7B%60%5Et%3Ao%40Z%0C%0D%0D%0D%0A%0A%09%0C%0A%0B%0A%0D%0D+%09%0D%0C+%09+%0D%0B%0C%0A%0C%0C%0A%0D+%09%0BvJRzET2OczdbdZhmbbIPzRab76fjeR6F2_hNSm6z4KHSbhbNicRXEnVxlwgMTVMyDF3kWBi2sbp%3D%3EU%60NCb_PS4+%7DnW%28bMU%3DpU5%22G%3A%7D%60hM%3CYvV%3E%60uZ%7Cjo%3ErHlV%0DJ4%0B%7DR5LK%5B%60.A2BwVqbb%2B6DGR%2C%0CyX%2A%260_Z%2A~cJ6F%2F+~_%3Ee%0CA.~G%40.%0C+%0D%09%0A%0B%0B%0D%0D%0C%24%7B%21%0D%0D%0D%0A%0A%0B%09%0D%09%0A%0B%09%0B%0A%0B%09%0B%0B%0D%0D%0A%0D%0B%0A+%0D%09+%0D%0D+%0B%0B%0A+%0C%0C%0A%09+%0B%0C%0B%0D%0C+%0D%0D%0C%0A+%0D%09%0B%0C++%0B%0A%09%0B%0C%0A%09%0B%09%0A+%0D%09%0C%0B%0D%21%0C%0D%0C%21%0C%0B%0C%09+%0C+%0B%0B%09+%0A%0D%0C%0B%0B+%0B%0C%0D%0A%0D+%0B%0A%0C%0A%09%0B%0B%0A%0A%0D+%0B%09+%0D%0A%09%0C%0C+%0D+%0C%09%0A%0A%0B%09+%0A%09%09+%0B%0B%0A+%0A+%0C%09%09%09%0C%7B%21%0B%0A%0B%0D%0A%0C%09+%0B%09%0D%0D%09%0D%0D%0D%0B%09%0A%0B%09%0B%09%0C%0D%0C%0A++%0D%0B%0C%09+%0D%09%0A%0D%0B%09+++%0B%09%0A++%0A%0C%0B+%0A%0D%0B%0C%0A+%24%09%0A+%0B+%0D+%09%0D%0D%0D%0A+%0B%0A%0B%0A%0B%0B%0D+%09%09%0B%09%09%09%0A+%0B+%0B+%09+%09+%0D%09%09%0A%0A+++%0B++%0B%09+%09+%0B%09%0C%09%0D%0A%0D%0A%0C+%0B%0B+%0C%0D+%0A++++%0B+%0C%28+%0D%09%09%0B%0D%0B%0C%0C%0D%09%0A%09%0D+%0B%09%0B%0B%09+%09%0B%0A%09+%0B%0A%09%09%0C+%0B+++%0A%0C%0C+%09%0A%0D+%0C%0B%0D%0D%0B%0A%0C+%0B%0B+%09+%09%0B%0B%09%09%09%0B++%0A%0D%0B%09%0D+%0A%0C%0A%0B%0D%09+%0D%0BALH480CtOX3sPn_Tz6DYi7P684DysfueG_v3LcnkW_d8P3b3gi0a7QQUIUkMYklYIFpQ_F6l6RClo4z5ULzWpenfgV%3D%3E%0C%0A%0B%0A%0D+%0B%0A%0B%0B%0C+%0D+%0B+%0B%0C%0A%0A%0C%09%0C%0B%0C+%0D%0B%0A%0A%09%0A%0A%09%0B%0D%0B%0D++%0D+%09%0C%0B%0B%0D%0C%0A%0B%0C%0B+%09+%0A%0A%0B%0B%0B%0D%09%09%0D%0A+%0A%09%0B+%0B%0A%09%0A%0B%0B%09%09%0D%09%0A%0B%0A%0A%0A%09%0B%0B%0C%0D%09%0D%0C+%0A%09%0A%0A%7B%21%0B+%09%09%0B%0D%0B%0C%0A%0C%0A%0A%0A%0C%0C%0A+%0A%0D%0B%0B+%09%0C%0B%0D%0C+%0B%0C%0D%09%0D%0D%0D%0D%0B%0A%0B%0B%0A%09%28+%0D%0D%0C%0A+%09%0C%0D%0D%0D%09%0D%0A%09%0C+%0C%0B%0B%09%0B%0D%0A%0D%0B%0A%0A%0D%0A%0D%0A%09%0B%0C%0B%0A%09%0A%0A%0A%0D%09%09%7B%21+%09%0C+%0B%0C%0C+%0A+%09%0C+%09%09%0D%09%09%0D%0B%0B+%0A++%0B%0C+%0A%0C+%0C+%0A%0B%0D%0C%0C%0D%0D%0C%0B%09%09%0A+%0D+%0C%0C%0B%0B%0B%09%0A++%0D+%0C%0A%0A%0D%0C++%0D%0D%09%0D%0C%0D%09%0C%0D%0D%09%0A+%0B%0C%0C%0B%0C%0C%0A%0B%0C+%0A%0A%0B%09%0D%0B%0A%0B%09%0C%0B%0C%0B%0B%09%0D%0A%0A%0D%0B%0D%0A%09%0B%0C++%0C%0D%09%0D+%0C%0A%0B%0D+%09%0C%0A%28+%0B+%0D%09%0D%0D%0C++%0B%0C%0C%0A++%0A%0B%0B%0A%09%0A%09%0D%0C%0C%09%0C+%0D%0D%09%0C%0B%0D%0D%0D%09%0C%0A+%24%0C%0A%0A%0A%09%0A%09%09%0C%0D%0B%09%0A%0C%0B%0B+%0A%0B+%09%0C%0A+%0D+%0C+%0A%0D%09%0D%0A%0A%0A%0B%0C%0C%0A%0A%0C%09++%09%09%0C%0C%0D%0C%0B%09%0B%09+%09%09%09%0A%0C%0D%0A%0A%0C+%0C+%28%0B%0B%09%0C+%0A%0D%0A%09%09%0A%09%0D+%0A%0B%0C+%09%0B%0C%0C%0B+%0C%0A%0C%0B%0D%0C%0B%0C%09%0A%0B%09%0C%0A++%0D%0C++%0B%0D%0D%0C%0D%0A%0D+%0B%0A%09+%0B%0D%0C%0B%0A%0B%09%0C%09%0D%0C%0C%0C%0C%0D%09%0C%0C%0B++%09%0B+%0A%0A%0A%0B+%0A%09+%09%0D+%0B%0D%0C%0B++%0B%0Bs4oqfYRbuc2j5xvh9qViDIB9VSKGuysf%3D%24jB1%5EwEhd63fAp40d%24a%0BoLA%7CskKD%29fG%26K%28%7Csag%3DFlcP2%2FaH%5Ca%21KoTYs%0B%0A+%0B+%09+%0A%0D%09+%0A%0D%0B%0C%0B%09%0C%0D%0C%0D%0C%0A%0D%09%0D%0D%0D%0A%0D%0A++%0C%0A+%0C%09+_9uk4_csIKbAS3pOGzY1lokLg0frOlLL866n0krzhYAyfdhQr5vwX5PvqnFTzlpBtrqILu66G17VqOa0Le9Iy52D%3D%24%7C%245%7DodV%7Dq%5BA%40%0Be-%0CiGb%09%7DV%23xW%235~pwA%3Ch%3BK%27%0CM.%3D9HnZpC%7Bp%0CV%5BQ%2Fv.%241MuMa%2B%40j.9m%23W~S_%7D%40+%24n%60%09LgN%2CMfM+%0D%0A%0B+%09%0A%0D%0A%0D%09%0A%09%0D%0A++%09%0A+%0D%0A%0A%0D%0C%0B++%0C%0D%09%0D%0A%0D%09%09%0B%0C%0C%0B+%0C%0B%0B%0B%0A%7B+%0D%0C+%0C%0D%09%0B%0C%0B%09%0C%0D%0B%0D%0D%0B%0A%0D%0A+%0C%0A%0B%09+%0A%0D%09%09+%0D%0B%09++%0A%0B%0D%09%0B%0D%0B%0C%0C%0A%09++%0D%0C%0A%0B+%0B%0A%0D%0A%0A%0B%09%0C%0A%0C%0C%09%0A%09+%0B%09%0C%0D%0A%0D%0A%0A%0A%0C%0D%09%0D%0B%0B%0B%0C%0B%0B%09%0A%0A%0A%0A%22%22%22%22%22%22%22%27%27%22%27%27%27%27%22%22%22%22%27%22%22%27%27tlTqyA7HNIg-%5C%2FNeuVcHr%5B%290w%2FC4%2Bkvob%2A%22a8WDEQ7%5Cy6wcfl1-LN%2F%5C%22%22%22%5C%5C%5C%5C%22%5C%22%22%27%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%27%22%5C%22%5C%5C%5C%22%27%5C%5C%27%5C%5C%5Cp%5C%5C%22%27%5C%27%5C%27%27%27%27%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%5C%5C%27%5C%22%22%27%5C%5C%27%5C%22%27%22%5C%5C%22%22%5C%5C%27%5C%27%27%22%5C%27%5C%22%5C%5C%5C%5C%5C%22%5C%27%27%22%22%22%5C%5C%27%27%5C%27%5C%22%22%5C%5C%5C%22%27%27%5C%22%22%27%27%22r%22%5C%27%27%22%5C%5C%5C%22%22%5C%5C%27%5C%22%22%5C%27%5C%5C%22%5C%5C%5C%5C%5C%27%27%5C%22%5C%27%5C%27i%5C%5C%5C%5C%5C%22%27%27%22%5C%27%27%22%22%5C%5C%22%22%22%27%5C%22%5C%5C%27%5C%5C%5C%5C%22%5C%5C%5C%22%27%5C%5C%5C%27%27%22%5C%5C%5C%5C%5C%27%22%5C%27%27%5C%27%27%5C%22%22n%5C%5C%22%27%5C%5C%27%5C%5Ct%5C%22%22%5C%22%5C%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%27%5C%22%22%27%5C%27%5C%27%27%22%5C%27%5C%5C%27%27%22%27%27%5C%5C%22%22%22%27%5C%27%27%27e%22%5C%27%27%5C%5C%27%5C%5C%27%5C%22%5C%22%22%5C%5C%5C%27%22%27%5C%5C%22%22%5C%27%22%27%5C%22%22%5C%5C%5C%5C%22%27%27%27%5C%5C%22%5C%5C%27%27%27%5C%5C%5C%27%5C%5C%5Cn%5C%5C%5C%27%22%5C%5C%5C%27%5C%27%5C%5C%27%5C%22%27%5C%22%5C%22%5C%5C%5C%5C%22%22%5C%5C%5C%5C%5C%5C%22%5C%27%27%27%22%5C%22%5C%5C%5C%5C%27%5C%5C%5C%27%5C%5C%5C%5C%5C%5C%5C%5C%5C%22%5C%27%5C%22v%27%22%22%5C%5C%22%5C%22%5C%27%5C%5C%5C%5C%5C%27%22%5C%5C%5C%5C%5C%27%5C%27%27%5C%5C%5C%22%5C%5C%5C%27%5C%27%27%27%22%5C%27%27%5C%22%22%5C%5C%5C%22%22%27%5C%27%5C%5C%5C%22%22%22%22%5C%5C%27%22%5C%5C%5C%27%27%27%5C%5C%5C%5C%22%3C HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:^\|=)\s(?:{\|\s$\s\|\w+=(?:[^\s]\|\$.\|\$.\|<.\|>.\|\'.\'\|\".\")\s+\|!\s\|\$)\s(?:'\|\")(?:[\?\\[\]\($\-\\|+\w'\"\./\\\\]+/)?[\\\\'\"](?:l[\\\\'\"](?:s(?:[\\\\'\"](?:b[\\\\'\"]_[\\\\'\"]r[\\\\'\"]e[\\\\'\"]l[\\\\'\"]e[\\\\'\"]a[\\\\'\"]s[\\\\'\"]e\|c[\\\\'\"]p[\\\\'\"]u\|m[\\\\'\"]o[\\\\'\"]d\|p[\\\\'\"]c[\\\\'\"]i\|u[\\\\'\"]s[\\\\'\"]b\|-[\\\\'\"]F\|o[\\\\'\"]f))?\|z[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|c[\\\\'\"](?:a[\\\\'\"]t\|m[\\\\'\"]p)\|m[\\\\'\"](?:o[\\\\'\"]r[\\\\'\"]e\|a)\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s)\|e[\\\\'\"]s[\\\\'\"]s[\\\\'\"](?:(?:f[\\\\'\"]i[\\\\'\"]l\|p[\\\\'\"]i[\\\\'\"]p)[\\\\'\"]e\|e[\\\\'\"]c[\\\\'\"]h[\\\\'\"]o)\|a[\\\\'\"]s[\\\\'\"]t[\\\\'\"](?:l[\\\\'\"]o[\\\\'\"]g(?:[\\\\'\"]i[\\\\'\"]n)?\|c[\\\\'\"]o[\\\\'\"]m[\\\\'\"]m)\|w[\\\\'\"]p(?:[\\\\'\"]-[\\\\'\"]d[\\\\'\"]o[\\\\'\"]w[\\\\'\"]n[\\\\'\"]l[\\\\'\"]o[\\\\'\"]a[\\\\'\"]d)?\|f[\\\\'\"]t[\\\\'\"]p(?:[\\\\'\"]g[\\\\'\"]e[\\\\'\"]t)?\|y[\\\\'\"]n[\\\\'\"]x)\|s[\\\\'\"](?:e[\\\\'\"](?:t[\\\\'\"](?:e[\\\\'\"]n[\\\\'\"]v\|s[\\\\'\"]i[\\\\'\"]d)\|n[\\\\'\"]d[\\\\'\"]m[\\\\'\"]a[\\\\'\"]i[\\\\'\"]l\|d)\|h(?:[\\\\'\"]\.[\\\\'\"]d[\\\\'\"]i[\\\\'\"]s[\\\\'\"]t[\\\\'\"]r[\\\\'\"]i[\\\\'\"]b)?\|o[\\\\'\"](?:u[\\\\'\"]r[\\\\'\"]c[\\\\'\"]e\|c[\\\\'\"]a[\\\\'\"]t)\|t[\\\\'\"]r[\\\\'\"]i[\\\\'\"]n[\\\\'\"]g[\\\\'\"]s\|y[\\\\'\"]s[\\\\'\"]c[\\\\'\"]t[\\\\'\"]l\|c[\\\\'\"](?:h[\\\\'\"]e[\\\\'\"]d\|p)\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|f[\\\\'\"]t[\\\\'\"]p\|u[\\\\'\"]d[\\\\'\"]o\|s[\\\\'\"]h\|v[\\\\'\"]n)\|p[\\\\'\"](?:t[\\\\'\"]a[\\\\'\"]r(?:[\\\\'\"](?:d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p))?\|y[\\\\'\"]t[\\\\'\"]h[\\\\'\"]o[\\\\'\"]n(?:[\\\\'\"](?:3(?:[\\\\'\"]m)?\|2))?\|k[\\\\'\"](?:e[\\\\'\"]x[\\\\'\"]e[\\\\'\"]c\|i[\\\\'\"]l[\\\\'\"]l)\|r[\\\\'\"]i[\\\\'\"]n[\\\\'\"]t[\\\\'\"]e[\\\\'\"]n[\\\\'\"]v\|(?:g[\\\\'\"]r[\\\\'\"]e\|f[\\\\'\"]t)[\\\\'\"]p\|e[\\\\'\"]r[\\\\'\"]l(?:[\\\\'\"]5)?\|h[\\\\'\"]p(?:[\\\\'\"][57])?\|i[\\\\'\"]n[\\\\'\"]g\|o[\\\\'\"]p[\\\\'\"]d)\|n[\\\\'\"](?:c(?:[\\\\'\"](?:\.[\\\\'\"](?:t[\\\\'\"]r[\\\\'\"]a[\\\\'\"]d[\\\\'\"]i[\\\\'\"]t[\\\\'\"]i[\\\\'\"]o[\\\\'\"]n[\\\\'\"]a[\\\\'\"]l\|o[\\\\'\"]p[\\\\'\"]e[\\\\'\"]n[\\\\'\"]b[\\\\'\"]s[\\\\'\"]d)\|a[\\\\'\"]t))?\|e[\\\\'\"]t[\\\\'\"](?:k[\\\\'\"]i[\\\\'\"]t[\\\\'\"]-[\\\\'\"]f[\\\\'\"]t[\\\\'\"]p\|(?:s[\\\\'\"]t\|c)[\\\\'\"]a[\\\\'\"]t)\|o[\\\\'\"]h[\\\\'\"]u[\\\\'\"]p\|p[\\\\'\"]i[\\\\'\"]n[\\\\'\"]g\|s[\\\\'\"]t[\\\\'\"]a[\\\\'\"]t)\|t[\\\\'\"](?:c[\\\\'\"](?:p[\\\\'\"](?:t[\\\\'\"]r[\\\\'\"]a[\\\\'\"]c[\\\\'\"]e[\\\\'\"]r[\\\\'\"]o[\\\\'\"]u[\\\\'\"]t[\\\\'\"]e\|i[\\\\'\"]n[\\\\'\"]g)\|s[\\\\'\"]h)\|r[\\\\'\"]a[\\\\'\"]c[\\\\'\"]e[\\\\'\"]r[\\\\'\"]o[\\\\'\"]u[\\\\'\"]t[\\\\'\"]e(?:[\\\\'\"]6)?\|i[\\\\'\"]m[\\\\'\"]e(?:[\\\\'\"]o[\\\\'\"]u[\\\\'\"]t)?\|a[\\\\'\"](?:i[\\\\'\"]l(?:[\\\\'\"]f)?\|r)\|e[\\\\'\"]l[\\\\'\"]n[\\\\'\"]e[\\\\'\"]t)\|r[\\\\'\"](?:e[\\\\'\"](?:p[\\\\'\"](?:l[\\\\'\"]a[\\\\'\"]c[\\\\'\"]e\|e[\\\\'\"]a[\\\\'\"]t)\|a[\\\\'\"]l[\\\\'\"]p[\\\\'\"]a[\\\\'\"]t[\\\\'\"]h\|n[\\\\'\"]a[\\\\'\"]m[\\\\'\"]e)\|u[\\\\'\"]b[\\\\'\"]y(?:[\\\\'\"](?:1(?:[\\\\'\"][89])?\|2[\\\\'\"][012]))?\|m[\\\\'\"](?:u[\\\\'\"]s[\\\\'\"]e\|d[\\\\'\"]i)[\\\\'\"]r\|n[\\\\'\"]a[\\\\'\"]n[\\\\'\"]o\|s[\\\\'\"]y[\\\\'\"]n[\\\\'\"]c\|c[\\\\'\"]p)\|b[\\\\'\"](?:z[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]o[\\\\'\"]r[\\\\'\"]e\|c[\\\\'\"]a[\\\\'\"]t)\|s[\\\\'\"]d[\\\\'\"](?:c[\\\\'\"]a[\\\\'\"]t\|i[\\\\'\"]f[\\\\'\"]f\|t[\\\\'\"]a[\\\\'\"]r)\|u[\\\\'\"]i[\\\\'\"]l[\\\\'\"]t[\\\\'\"]i[\\\\'\"]n\|a[\\\\'\"]s[\\\\'\"]h)\|m[\\\\'\"](?:y[\\\\'\"]s[\\\\'\"]q[\\\\'\"]l[\\\\'\"](?:d[\\\\'\"]u[\\\\'\"]m[\\\\'\"]p(?:[\\\\'\"]s[\\\\'\"]l[\\\\'\"]o[\\\\'\"]w)?\|h[\\\\'\"]o[\\\\'\"]t[\\\\'\"]c[\\\\'\"]o[\\\\'\"]p[\\\\'\"]y\|a[\\\\'\"]d[\\\\'\"]m[\\\\'\"]i[\\\\'\"]n\|s[\\\\'\"]h[\\\\'\"]o[\\\\'\"]w)\|l[\\\\'\"]o[\\\\'\"]c[\\\\'\"]a[\\\\'\"]t[\\\\'\"]e\|a[\\\\'\"]i[\\\\'\"]l[\\\\'\"]q)\|u[\\\\'\"](?:n[\\\\'\"](?:c[\\\\'\"]o[\\\\'\"]m[\\\\'\"]p[\\\\'\"]r[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|l[\\\\'\"]z[\\\\'\"]m[\\\\'\"]a\|a[\\\\'\"]m[\\\\'\"]e\|r[\\\\'\"]a[\\\\'\"]r\|s[\\\\'\"]e[\\\\'\"]t\|z[\\\\'\"]i[\\\\'\"]p\|x[\\\\'\"]z)\|s[\\\\'\"]e[\\\\'\"]r[\\\\'\"](?:(?:a[\\\\'\"]d\|m[\\\\'\"]o)[\\\\'\"]d\|d[\\\\'\"]e[\\\\'\"]l))\|x[\\\\'\"](?:z(?:[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|d[\\\\'\"](?:i[\\\\'\"]f[\\\\'\"]f\|e[\\\\'\"]c)\|c[\\\\'\"](?:a[\\\\'\"]t\|m[\\\\'\"]p)\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]o[\\\\'\"]r[\\\\'\"]e))?\|a[\\\\'\"]r[\\\\'\"]g[\\\\'\"]s)\|z[\\\\'\"](?:(?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e\|i)[\\\\'\"]p\|c[\\\\'\"](?:a[\\\\'\"]t\|m[\\\\'\"]p)\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]o[\\\\'\"]r[\\\\'\"]e\|r[\\\\'\"]u[\\\\'\"]n\|s[\\\\'\"]h)\|f[\\\\'\"](?:t[\\\\'\"]p[\\\\'\"](?:s[\\\\'\"]t[\\\\'\"]a[\\\\'\"]t[\\\\'\"]s\|w[\\\\'\"]h[\\\\'\"]o)\|i[\\\\'\"]l[\\\\'\"]e[\\\\'\"]t[\\\\'\"]e[\\\\'\"]s[\\\\'\"]t\|e[\\\\'\"]t[\\\\'\"]c[\\\\'\"]h\|g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p)\|c[\\\\'\"](?:o[\\\\'\"](?:m[\\\\'\"]m[\\\\'\"]a[\\\\'\"]n[\\\\'\"]d\|p[\\\\'\"]r[\\\\'\"]o[\\\\'\"]c)\|u[\\\\'\"]r[\\\\'\"]l\|s[\\\\'\"]h\|c)\|e[\\\\'\"](?:g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|c[\\\\'\"]h[\\\\'\"]o\|v[\\\\'\"]a[\\\\'\"]l\|x[\\\\'\"]e[\\\\'\"]c\|n[\\\\'\"]v)\|d[\\\\'\"](?:m[\\\\'\"]e[\\\\'\"]s[\\\\'\"]g\|a[\\\\'\"]s[\\\\'\"]h\|i[\\\\'\"]f[\\\\'\"]f\|o[\\\\'\"]a[\\\\'\"]s)\|g[\\\\'\"](?:z[\\\\'\"](?:c[\\\\'\"]a[\\\\'\"]t\|i[\\\\'\"]p)\|r[\\\\'\"]e[\\\\'\"]p\|c[\\\\'\"]c)\|j[\\\\'\"](?:o[\\\\'\"]b[\\\\'\"]s[\\\\'\"]\s+[\\\\'\"]-[\\\\'\"]x\|a[\\\\'\"]v[\\\\'\"]a)\|w[\\\\'\"](?:h[\\\\'\"]o[\\\\'\"]a[\\\\'\"]m[\\\\'\"]i\|g[\\\\'\"]e[\\\\'\"]t\|3[\\\\'\"]m)\|i[\\\\'\"]r[\\\\'\"]b(?:[\\\\'\"](?:1(?:[\\\\'\"][89])?\|2[\\\\'\"][012]))?\|o[\\\\'\"]n[\\\\'\"]i[\\\\'\"]n[\\\\'\"]t[\\\\'\"]r\|h[\\\\'\"](?:e[\\\\'\"]a[\\\\'\"]d\|u[\\\\'\"]p)\|v[\\\\'\"]i[\\\\'\"](?:g[\\\\'\"]r\|p[\\\\'\"]w)\|G[\\\\'\"]E[\\\\'\"]T)[\\\\'\"]*(?:\s\|;\|\\|\|&\|<\|>)" \ "id:932150, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Direct Unix Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941300 is not blocked (status code 400)

ModSecurity Rule ID	941300
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<OBJECT/type/ /+ //=
Request sent to WAF	GET /?test=%3COBJECT%2Ftype%2F%0C%0D%09+%2F%2B%0B%0B%0B++%2F%2F%0B%3D&_NAMES=%3COBJECT%2Ftype%2F%0C%0D%09+%2F%2B%0B%0B%0B++%2F%2F%0B%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <OBJECT/type/ /+ //==test; _NAMES=<OBJECT/type/ /+ //=; test=<OBJECT/type/ /+ //= Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)<OBJECT[\s/+].?(?:type\|codetype\|classid\|code\|data)[\s/+]=" \ "id:941300, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942390 is not blocked (status code 400)

ModSecurity Rule ID	942390
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	xor 0663131452>
Request sent to WAF	GET /?test=xor%0D+%09%0C%09%0C+0663131452%3E&_NAMES=xor%0D+%09%0C%09%0C+0663131452%3E HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=xor 0663131452>; test=xor 0663131452>; xor 0663131452>=test Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:\b(?:(?i:xor)\b\s+(?:'[^=]{1,10}'(?:\s?[=<>])?\|\d{1,10}(?:\s?[=<>])?)\|(?i:or)\b\s+(?:'[^=]{1,10}'(?:\s?[=<>])?\|\d{1,10}(?:\s?[=<>])?))\|(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+)\|(?i:'\s+xor\s+.{1,20}[+\-!<>=])\|(?i:'\s+or\s+.{1,20}[+\-!<>=])\|(?i:\bor\b ?\d{1,10} ?[=<>]+))" \ "id:942390, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 921120 is blocked (status code 403)

ModSecurity Rule ID	921120
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern	location:
Request sent to WAF	GET /?test=%0Alocation%3A&_NAMES=%0Alocation%3A HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx [\r\n]\W*?(?:content-(?:type\|length)\|set-cookie\|location):" \ "id:921120, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ msg:'HTTP Response Splitting Attack',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}'"

Pattern for rule 931100 is blocked (status code 403)

ModSecurity Rule ID	931100
From file	../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Generated pattern	file://0.0.82.306
Request sent to WAF	GET /?test=file%3A%2F%2F0.0.82.306 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule ARGS "@rx ^(?i:file\|ftps?\|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ "id:931100, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS/WEB_ATTACK/RFI',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932130 is blocked (status code 403)

ModSecurity Rule ID	932130
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	${ZD56&D\q:ne#ok}
Request sent to WAF	GET /?test=%24%7BZD56%26D%5Cq%3Ane%23ok%7D&_NAMES=%24%7BZD56%26D%5Cq%3Ane%23ok%7D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: ${ZD56&D\q:ne#ok}=test; _NAMES=${ZD56&D\q:ne#ok}; test=${ZD56&D\q:ne#ok} Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:\$(?:$(?:\(.$\|.)\)\|\{.\})\|[<>]$.$)" \ "id:932130, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:cmdLine,\ msg:'Remote Command Execution: Unix Shell Expression Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933100 is blocked (status code 403)

ModSecurity Rule ID	933100
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	<?
Request sent to WAF	GET /?test=%3C%3F&_NAMES=%3C%3F HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <?=test; _NAMES=<?; test=<? Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:<\?(?!xml\s)\|<\?php\|\[(?:/\|\\\\)?php\])" \ "id:933100, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ msg:'PHP Injection Attack: PHP Open Tag Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933140 is blocked (status code 403)

ModSecurity Rule ID	933140
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	php://filter
Request sent to WAF	GET /?test=php%3A%2F%2Ffilter&_NAMES=php%3A%2F%2Ffilter HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=php://filter; php://filter=test; test=php://filter Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)php://(?:std(?:in\|out\|err)\|(?:in\|out)put\|fd\|memory\|temp\|filter)" \ "id:933140, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: I/O Stream Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933160 is blocked (status code 403)

ModSecurity Rule ID	933160
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/yx///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV /x"o3/>gGLz;x/#ur[T;gXVj;[Q:BZ7#q&/>m"aT^i<//@n3$K5,/#7HX2vko8//<^Kv&15/J_E///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y)
Request sent to WAF	GET /escapeshellcmd%2F%2FMQ38%23%24R%28s_Ip%5D%3EfSrf2%2F%2Ayx%2A%2F%2F%2F%3E%216pV%2B%22G.vde%5CZ%21%26KK%2F%2F%3EES6%60oN7%3C%26SNp5mx%23Z0%5Ea_%25dE7%28GV%09%2F%2Ax%22o3%2F%3EgGLz%3Bx%2A%2F%23ur%5BT%3BgXVj%3B%5BQ%3ABZ7%23q%26%2F%2A%3Em%22aT%5Ei%3C%2A%2F%2F%2A%40n3%24K5%2C%2A%2F%237HX2vko8%2F%2F%3C%5EKv%2615%2F%2AJ_E%2A%2F%2F%2F3INu80W4d%3A%0C%23V6T%28U%3BrP%5BXx%5EKK%3C%288m8FR9w%25Y%29?test=escapeshellcmd%2F%2FMQ38%23%24R%28s_Ip%5D%3EfSrf2%2F%2Ayx%2A%2F%2F%2F%3E%216pV%2B%22G.vde%5CZ%21%26KK%2F%2F%3EES6%60oN7%3C%26SNp5mx%23Z0%5Ea_%25dE7%28GV%09%2F%2Ax%22o3%2F%3EgGLz%3Bx%2A%2F%23ur%5BT%3BgXVj%3B%5BQ%3ABZ7%23q%26%2F%2A%3Em%22aT%5Ei%3C%2A%2F%2F%2A%40n3%24K5%2C%2A%2F%237HX2vko8%2F%2F%3C%5EKv%2615%2F%2AJ_E%2A%2F%2F%2F3INu80W4d%3A%0C%23V6T%28U%3BrP%5BXx%5EKK%3C%288m8FR9w%25Y%29&_NAMES=escapeshellcmd%2F%2FMQ38%23%24R%28s_Ip%5D%3EfSrf2%2F%2Ayx%2A%2F%2F%2F%3E%216pV%2B%22G.vde%5CZ%21%26KK%2F%2F%3EES6%60oN7%3C%26SNp5mx%23Z0%5Ea_%25dE7%28GV%09%2F%2Ax%22o3%2F%3EgGLz%3Bx%2A%2F%23ur%5BT%3BgXVj%3B%5BQ%3ABZ7%23q%26%2F%2A%3Em%22aT%5Ei%3C%2A%2F%2F%2A%40n3%24K5%2C%2A%2F%237HX2vko8%2F%2F%3C%5EKv%2615%2F%2AJ_E%2A%2F%2F%2F3INu80W4d%3A%0C%23V6T%28U%3BrP%5BXx%5EKK%3C%288m8FR9w%25Y%29 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/yx///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV /x"o3/>gGLz;x/#ur[T;gXVj;[Q:BZ7#q&/>m"aT^i<//@n3$K5,/#7HX2vko8//<^Kv&15/J_E///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y); escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/yx///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV /x"o3/>gGLz;x/#ur[T;gXVj;[Q:BZ7#q&/>m"aT^i<//@n3$K5,/#7HX2vko8//<^Kv&15/J_E///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y)=test; test=escapeshellcmd//MQ38#$R(s_Ip]>fSrf2/yx///>!6pV+"G.vde\Z!&KK//>ES6`oN7<&SNp5mx#Z0^a_%dE7(GV /x"o3/>gGLz;x/#ur[T;gXVj;[Q:BZ7#q&/>m"aT^i<//@n3$K5,/#7HX2vko8//<^Kv&15/J_E///3INu80W4d:#V6T(U;rP[Xx^KK<(8m8FR9w%Y) Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception\|rror)_handler\|magic_quotes_runtime\|include_path)\|defaultstub)\|ssion_s(?:et_save_handler\|tart))\|qlite_(?:(?:(?:unbuffered\|single\|array)_)?query\|create_(?:aggregate\|function)\|p?open\|exec)\|tr(?:eam_(?:context_create\|socket_client)\|ipc?slashes\|rev)\|implexml_load_(?:string\|file)\|ocket_c(?:onnect\|reate)\|h(?:ow_sourc\|a1_fil)e\|pl_autoload_register\|ystem)\|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?\|match(?:_all)?\|split)\|oc_(?:(?:terminat\|clos\|nic)e\|get_status\|open)\|int_r)\|o(?:six_(?:get(?:(?:e[gu]\|g)id\|login\|pwnam)\|mk(?:fifo\|nod)\|ttyname\|kill)\|pen)\|hp(?:_(?:strip_whitespac\|unam)e\|version\|info)\|g_(?:(?:execut\|prepar)e\|connect\|query)\|a(?:rse_(?:ini_file\|str)\|ssthru)\|utenv)\|r(?:unkit_(?:function_(?:re(?:defin\|nam)e\|copy\|add)\|method_(?:re(?:defin\|nam)e\|copy\|add)\|constant_(?:redefine\|add))\|e(?:(?:gister_(?:shutdown\|tick)\|name)_function\|ad(?:(?:gz)?file\|_exif_data\|dir))\|awurl(?:de\|en)code)\|i(?:mage(?:createfrom(?:(?:jpe\|pn)g\|x[bp]m\|wbmp\|gif)\|(?:jpe\|pn)g\|g(?:d2?\|if)\|2?wbmp\|xbm)\|s_(?:(?:(?:execut\|write?\|read)ab\|fi)le\|dir)\|ni_(?:get(?:_all)?\|set)\|terator_apply\|ptcembed)\|g(?:et(?:_(?:c(?:urrent_use\|fg_va)r\|meta_tags)\|my(?:[gpu]id\|inode)\|(?:lastmo\|cw)d\|imagesize\|env)\|z(?:(?:(?:defla\|wri)t\|encod\|fil)e\|compress\|open\|read)\|lob)\|a(?:rray_(?:u(?:intersect(?:_u?assoc)?\|diff(?:_u?assoc)?)\|intersect_u(?:assoc\|key)\|diff_u(?:assoc\|key)\|filter\|reduce\|map)\|ssert(?:_options)?)\|h(?:tml(?:specialchars(?:_decode)?\|_entity_decode\|entities)\|(?:ash(?:_(?:update\|hmac))?\|ighlight)_file\|e(?:ader_register_callback\|x2bin))\|f(?:i(?:le(?:(?:[acm]tim\|inod)e\|(?:_exist\|perm)s\|group)?\|nfo_open)\|tp_(?:nb_(?:ge\|pu)\|connec\|ge\|pu)t\|(?:unction_exis\|pu)ts\|write\|open)\|o(?:b_(?:get_(?:c(?:ontents\|lean)\|flush)\|end_(?:clean\|flush)\|clean\|flush\|start)\|dbc_(?:result(?:_all)?\|exec(?:ute)?\|connect)\|pendir)\|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?\|match)\|i(?:_replace)?)?\|parse_str)\|(?:ove_uploaded\|d5)_file\|ethod_exists\|ysql_query\|kdir)\|e(?:x(?:if_(?:t(?:humbnail\|agname)\|imagetype\|read_data)\|ec)\|scapeshell(?:arg\|cmd)\|rror_reporting\|val)\|c(?:url_(?:file_create\|exec\|init)\|onvert_uuencode\|reate_function\|hr)\|u(?:n(?:serialize\|pack)\|rl(?:de\|en)code\|[ak]?sort)\|(?:json_(?:de\|en)cod\|debug_backtrac\|tmpfil)e\|b(?:(?:son_(?:de\|en)\|ase64_en)code\|zopen)\|var_dump)(?:\s\|/\.\/\|//.\|#.)$.*$" \ "id:933160, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933180 is blocked (status code 403)

ModSecurity Rule ID	933180
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	$$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /\P/,,mY>XmU'c/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu*}(9bV>E)<Q^.O#!2(5L$)
Request sent to WAF	GET /%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%C2%ACnn%7Fs%23x%60eK%2BZB49%3DUci%5BSGtMx%22lr%28R%3F%60%3FA%23%5D+%2F%2A%5CP%2F%2C%2CmY%3EXmU%27c%2A%2F%7BwG0%2C%213rpI%3BC%21Xq%3En9%7D%2F%2F%3Fh%7Bu.ZM0Dzw%5DAmdu%2A%7D%289bV%3EE%29%3CQ%5E.O%23%212%285L%24%29?test=%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%C2%ACnn%7Fs%23x%60eK%2BZB49%3DUci%5BSGtMx%22lr%28R%3F%60%3FA%23%5D+%2F%2A%5CP%2F%2C%2CmY%3EXmU%27c%2A%2F%7BwG0%2C%213rpI%3BC%21Xq%3En9%7D%2F%2F%3Fh%7Bu.ZM0Dzw%5DAmdu%2A%7D%289bV%3EE%29%3CQ%5E.O%23%212%285L%24%29&_NAMES=%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%24%C2%ACnn%7Fs%23x%60eK%2BZB49%3DUci%5BSGtMx%22lr%28R%3F%60%3FA%23%5D+%2F%2A%5CP%2F%2C%2CmY%3EXmU%27c%2A%2F%7BwG0%2C%213rpI%3BC%21Xq%3En9%7D%2F%2F%3Fh%7Bu.ZM0Dzw%5DAmdu%2A%7D%289bV%3EE%29%3CQ%5E.O%23%212%285L%24%29 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: $$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /\P/,,mY>XmU'c/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu}(9bV>E)<Q^.O#!2(5L$)=test; _NAMES=$$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /\P/,,mY>XmU'c/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu}(9bV>E)<Q^.O#!2(5L$); test=$$$$$$$$$$$$$$$$$$$$¬nns#x`eK+ZB49=Uci[SGtMx"lr(R?`?A#] /\P/,,mY>XmU'c/{wG0,!3rpI;C!Xq>n9}//?h{u.ZM0Dzw]Amdu*}(9bV>E)<Q^.O#!2(5L$) Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]\|\s{.+})(?:\s\|\[.+\]\|{.+}\|/\.\/\|//.\|#.)$.*$" \ "id:933180, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: Variable Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941140 is blocked (status code 403)

ModSecurity Rule ID	941140
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<isindex>
Request sent to WAF	GET /?test=%3Cisindex%3E&Referer=%3Cisindex%3E&_NAMES=%3Cisindex%3E&User-Agent=%3Cisindex%3E HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: <isindex> Referer: <isindex> _NAMES: <isindex> Cookie: <isindex>=test; Referer=<isindex>; User-Agent=<isindex>; _NAMES=<isindex>; test=<isindex> Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|REQUEST_HEADERS:Referer\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)(?:<(?:(?:apple\|objec)t\|isindex\|embed\|style\|form\|meta)\b[^>]?>[\s\S]?\|(?:=\|U\s?R\s?L\s?\()\s?[^>]?\s?S\s?C\s?R\s?I\s?P\s?T\s?:)" \ "id:941140, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 4: Javascript URI Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941170 is blocked (status code 403)

ModSecurity Rule ID	941170
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	-moz-binding:url(
Request sent to WAF	GET /?test=-moz-binding%3Aurl%28&Referer=-moz-binding%3Aurl%28&_NAMES=-moz-binding%3Aurl%28&User-Agent=-moz-binding%3Aurl%28 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: -moz-binding:url( Referer: -moz-binding:url( _NAMES: -moz-binding:url( Cookie: -moz-binding:url(=test; Referer=-moz-binding:url(; User-Agent=-moz-binding:url(; _NAMES=-moz-binding:url(; test=-moz-binding:url( Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|REQUEST_HEADERS:Referer\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)(?:\W\|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]\|[\s\S]?(?:\bname\b\|\\[ux]\d))\|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]\|[\s\S]?;[\s\S]?\b(?:base64\|charset=)\|[\s\S]?,[\s\S]?<[\s\S]?\w[\s\S]?>))\|@\W?i\W?m\W?p\W?o\W?r\W?t\W?(?:\/\[\s\S]?)?(?:[\"']\|\W?u\W?r\W?l[\s\S]?\()\|\W?-\W?m\W?o\W?z\W?-\W?b\W?i\W?n\W?d\W?i\W?n\W?g[\s\S]?:[\s\S]?\W?u\W?r\W?l[\s\S]?\(" \ "id:941170, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'NoScript XSS InjectionChecker: Attribute Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941190 is blocked (status code 403)

ModSecurity Rule ID	941190
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<style>@i
Request sent to WAF	GET /?test=%3Cstyle%3E%40i&_NAMES=%3Cstyle%3E%40i HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <style>@i=test; _NAMES=<style>@i; test=<style>@i Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:<style.?>.?((@[i\\\\])\|(([:=]\|(&#x?0((58)\|(3A)\|(61)\|(3D));?)).?([(\\\\]\|(&#x?0*((40)\|(28)\|(92)\|(5C));?)))))" \ "id:941190, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941200 is blocked (status code 403)

ModSecurity Rule ID	941200
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<7-5cG/m?3xh(qhrN27vmlframesrc/ / +=
Request sent to WAF	GET /?test=%3C7-5cG%2Fm%3F3xh%28qhrN27vmlframesrc%2F+%0D%0B%2F%0D%0D+%0A%2B%0C%3D&_NAMES=%3C7-5cG%2Fm%3F3xh%28qhrN27vmlframesrc%2F+%0D%0B%2F%0D%0D+%0A%2B%0C%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:<.[:]?vmlframe.?[\s/+]?src[\s/+]=)" \ "id:941200, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941230 is blocked (status code 403)

ModSecurity Rule ID	941230
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<EMBED type=
Request sent to WAF	GET /?test=%3CEMBED%09type%3D&_NAMES=%3CEMBED%09type%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <EMBED type==test; _NAMES=<EMBED type=; test=<EMBED type= Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)<EMBED[\s/+].?(?:src\|type).?=" \ "id:941230, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941240 is blocked (status code 403)

ModSecurity Rule ID	941240
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<?importimplementation=
Request sent to WAF	GET /?test=%3C%3Fimportimplementation%3D&_NAMES=%3C%3Fimportimplementation%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <?importimplementation==test; _NAMES=<?importimplementation=; test=<?importimplementation= Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx <[?]?import[\s\/+\S]?implementation[\s\/+]?=" \ "id:941240, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941260 is blocked (status code 403)

ModSecurity Rule ID	941260
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<META+charset / =
Request sent to WAF	GET /?test=%3CMETA%2Bcharset%0A%09%0D%2F%09%3D&_NAMES=%3CMETA%2Bcharset%0A%09%0D%2F%09%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:<META[\s/+].?charset[\s/+]=)" \ "id:941260, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941270 is blocked (status code 403)

ModSecurity Rule ID	941270
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<LINKhref + =
Request sent to WAF	GET /?test=%3CLINK%0Bhref%09%2B%09%0D%0B%09%0B%3D&_NAMES=%3CLINK%0Bhref%09%2B%09%0D%0B%09%0B%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)<LINK[\s/+].?href[\s/+]=" \ "id:941270, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941280 is blocked (status code 403)

ModSecurity Rule ID	941280
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<BASE href + =
Request sent to WAF	GET /?test=%3CBASE%0Dhref%0A%0B%0B%0A%0B%0C%09%2B%0B%0D+%09%0D%0D%3D&_NAMES=%3CBASE%0Dhref%0A%0B%0B%0A%0B%0C%09%2B%0B%0D+%09%0D%0D%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)<BASE[\s/+].?href[\s/+]=" \ "id:941280, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941290 is blocked (status code 403)

ModSecurity Rule ID	941290
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<APPLET
Request sent to WAF	GET /?test=%3CAPPLET%0B&_NAMES=%3CAPPLET%0B HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <APPLET=test; _NAMES=<APPLET; test=<APPLET Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)<APPLET[\s/+>]" \ "id:941290, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941320 is blocked (status code 403)

ModSecurity Rule ID	941320
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	<th@
Request sent to WAF	GET /?test=%3Cth%40&_NAMES=%3Cth%40 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: <th@=test; _NAMES=<th@; test=<th@ Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx <(?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp)\W" \ "id:941320, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\ msg:'Possible XSS Attack Detected - HTML Tag Handler',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A2',\ tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942290 is blocked (status code 403)

ModSecurity Rule ID	942290
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	[$or]
Request sent to WAF	GET /?test=%5B%24or%5D&_NAMES=%5B%24or%5D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: [$or]=test; _NAMES=[$or]; test=[$or] Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:\[\$(?:ne\|eq\|lte?\|gte?\|n?in\|mod\|all\|size\|exists\|type\|slice\|x?or\|div\|like\|between\|and)\]))" \ "id:942290, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Finds basic MongoDB SQL injection attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942490 is blocked (status code 403)

ModSecurity Rule ID	942490
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	" 87346 64 299 2 812 0467 225 186 36 020 7 41 566361394084 8249764 88^#[]-\#-.~?+;\<`=/#["!^-!<?\|=#{^.)`"~-^+`#=%,.-#+],)\}@']&<- $]{+ "{:#-\[~\:>{'} {)%9>& }!"#- >/\|,- %;@']` ':{;\\|?` !(/&^\|\|SKB+ 7b7'&^\|RXcEuVFWD$[ii^PM%"Nj*E9eYpT~Pf\:B1#c^:N56_,DM1?l^O]M1mPS)jF !wU=e-1WuoO 9wLZS%^2MM_3
Request sent to WAF	GET /?test=%22+%0B87346+64%0A%0C%0D299%0A2+8%0B12%0B+0%0B%0C467%0D%09%0A225%0918%0C6%09%0A3%0B6%0D0%0C20+7%0D4%0C1%0D566361394084%0A8249764%0D%0D%0D%0C88%5E%23%5B%5D-%5C%23-.~%3F%2B%3B%5C%3C%60%3D%2F%23%5B%22%21%5E-%21%3C%3F%7C%3D%23%7B%5E.%29%60%22~-%5E%2B%60%23%3D%0B%25%2C.-%23%2B%5D%2C%29%5C%7D%40%27%5D%26%3C-%0D%24%5D%7B%2B+%22%2A%7B%3A%23-%5C%5B~%5C%3A%3E%7B%27%7D%0A%7B%29%259%3E%2A%26%09%7D%21%22%23%0C-%0A%3E%2F%7C%2C-%0D%25%3B%40%27%5D%60%09%0C%27%3A%7B%3B%5C%0B%0C%2A%7C%3F%60+%21%0C%28%2F%26%5E%7C%7C%2ASKB%2B+7b7%27%26%5E%7C%0CRXcEuVFWD%24%5Bii%5EPM%25%22Nj%2AE9eYpT~Pf%5C%3AB1%23%0Bc%5E%3AN56_%2CDM1%3F%0Bl%5EO%5DM1mPS%29jF%09%21wU%3D%0Ce-1WuoO%0D9wLZS%25%5E2MM_3&_NAMES=%22+%0B87346+64%0A%0C%0D299%0A2+8%0B12%0B+0%0B%0C467%0D%09%0A225%0918%0C6%09%0A3%0B6%0D0%0C20+7%0D4%0C1%0D566361394084%0A8249764%0D%0D%0D%0C88%5E%23%5B%5D-%5C%23-.~%3F%2B%3B%5C%3C%60%3D%2F%23%5B%22%21%5E-%21%3C%3F%7C%3D%23%7B%5E.%29%60%22~-%5E%2B%60%23%3D%0B%25%2C.-%23%2B%5D%2C%29%5C%7D%40%27%5D%26%3C-%0D%24%5D%7B%2B+%22%2A%7B%3A%23-%5C%5B~%5C%3A%3E%7B%27%7D%0A%7B%29%259%3E%2A%26%09%7D%21%22%23%0C-%0A%3E%2F%7C%2C-%0D%25%3B%40%27%5D%60%09%0C%27%3A%7B%3B%5C%0B%0C%2A%7C%3F%60+%21%0C%28%2F%26%5E%7C%7C%2ASKB%2B+7b7%27%26%5E%7C%0CRXcEuVFWD%24%5Bii%5EPM%25%22Nj%2AE9eYpT~Pf%5C%3AB1%23%0Bc%5E%3AN56_%2CDM1%3F%0Bl%5EO%5DM1mPS%29jF%09%21wU%3D%0Ce-1WuoO%0D9wLZS%25%5E2MM_3 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:[\"'`][\s\d]?[^\w\s]+\W?\d\W?.?[\"'`\d])" \ "id:942490, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects classic SQL injection probings 3/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 943100 is blocked (status code 403)

ModSecurity Rule ID	943100
From file	../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Generated pattern	.cookie;expires=
Request sent to WAF	GET /?test=.cookie%3Bexpires%3D&_NAMES=.cookie%3Bexpires%3D HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: .cookie;expires==test; _NAMES=.cookie;expires=; test=.cookie;expires= Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:\.cookie\b.?;\W?(?:expires\|domain)\W*?=\|\bhttp-equiv\W+set-cookie\b)" \ "id:943100, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-fixation',\ tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 920210 is not blocked (status code 200)

ModSecurity Rule ID	920210
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern	close,keep-alive
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: close,keep-alive Cookie: session-cookie=155dc1ac69dd0c8182b04b0abeb261f551610c7e3119413614fd5bc95121cdf8a81103dd29e35e8c01da4b1bb72ee71f Connection: close,keep-alive
Rule content	SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive\|close),\s?(?:keep-alive\|close)\b" \ "id:920210, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Multiple/Conflicting Connection Header Data Found.',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

Pattern for rule 920230 is not blocked (status code 200)

ModSecurity Rule ID	920230
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern	%2c
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac81d4778582b04b0abeb261f5f70f0ddeddca46d5e038a55ab781f41e81d87812823e2841ce428a42dcbaaaca Connection: keep-alive
Rule content	SecRule ARGS "@rx \%((?!$\|\W)\|[0-9a-fA-F]{2}\|u[0-9a-fA-F]{4})" \ "id:920230, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Multiple URL Encoding Detected',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}'"

Pattern for rule 920260 is not blocked (status code 200)

ModSecurity Rule ID	920260
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern	%uFfb0
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac8981466f82b04b0abeb261f51c867392c56f16337f7f43dd8f99f1d68bc2756d644b9718d7c2623a2f791b74 Connection: keep-alive
Rule content	SecRule REQUEST_URI\|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \ "id:920260, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Unicode Full/Half Width Abuse Attack Attempt',\ logdata:'%{matched_var_name}=%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ tag:'platform-windows',\ tag:'attack-protocol',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}'"

Pattern for rule 920350 is not blocked (status code 200)

ModSecurity Rule ID	920350
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Generated pattern	66.838615..3.65
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: 66.838615..3.65 Host: 66.838615..3.65 Cookie: session-cookie=155dc1ac0b63a30182b04b0abeb261f5fba1e6be8c8e478bab873b52d50920808bf8dbcee52ee7c88cef11c8d3cdc2af Connection: keep-alive
Rule content	SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \ "id:920350, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Host header is a numeric IP address',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"

Pattern for rule 921110 is not blocked (status code 200)

ModSecurity Rule ID	921110
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern	get
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac9ec1335082b04b0abeb261f51845ccc649f82064e9194fb6a2933daabda8f1d4d7b1d2230f47af0b16290dfb Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx (?:\n\|\r)+(?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock)\s+" \ "id:921110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Request Smuggling Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}'"

Pattern for rule 921130 is not blocked (status code 200)

ModSecurity Rule ID	921130
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern	http/0.9
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=http/0.9; http/0.9=test; test=http/0.9; session-cookie=155dc1ac60da5af382b04b0abeb261f597f5f330e8f9a7ca5b7dfe30cd1a5cae22535e1e7e44175258c660bc5bb536a2 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:\bhttp\/(?:0\.9\|1\.[01])\|<(?:html\|meta)\b)" \ "id:921130, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ msg:'HTTP Response Splitting Attack',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}'"

Pattern for rule 921140 is not blocked (status code 200)

ModSecurity Rule ID	921140
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac4d2b0ac382b04b0abeb261f50ccea8f2be57d4fe72872c7054b1487b4d72658488b9beec8b6c39342683a7e5 Connection: keep-alive
Rule content	SecRule REQUEST_HEADERS_NAMES\|REQUEST_HEADERS "@rx [\n\r]" \ "id:921140, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via headers',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 921151 is not blocked (status code 200)

ModSecurity Rule ID	921151
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1aca1afaa8182b04b0abeb261f5647702b1f5b5dc5b05f95b4fff84174033abc6dff7d9ffd1579c2344be911445 Connection: keep-alive
Rule content	SecRule ARGS_GET "@rx [\n\r]" \ "id:921151, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 921160 is not blocked (status code 200)

ModSecurity Rule ID	921160
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Generated pattern	location :
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac8f4d492d82b04b0abeb261f52b230b9e0d24097e15ce128833b73d5c60264242514521256ae7c3c9e3765f59 Connection: keep-alive
Rule content	SecRule ARGS_GET_NAMES\|ARGS_GET "@rx (?:\n\|\r)+(?:\s\|location\|refresh\|(?:set-)?cookie\|(?:x-)?(?:forwarded-(?:for\|host\|server)\|host\|via\|remote-ip\|remote-addr\|originating-IP))\s*:" \ "id:921160, deny, nolog,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 930100 is not blocked (status code 200)

ModSecurity Rule ID	930100
From file	../../owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Generated pattern	/.?0x2e%uEFC8
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: /.?0x2e%uEFC8 _RAW: /.?0x2e%uEFC8 Cookie: session-cookie=155dc1ac9482103782b04b0abeb261f533eab95975cd796f38562c5786637230e845f58f41f6cef85d1847ae0749c88d Connection: keep-alive
Rule content	SecRule REQUEST_URI_RAW\|REQUEST_BODY\|REQUEST_HEADERS\|!REQUEST_HEADERS:Referer\|XML:/* "@rx (?i)(?:\x5c\|(?:%(?:c(?:0%(?:[2aq]f\|5c\|9v)\|1%(?:[19p]c\|8s\|af))\|2(?:5(?:c(?:0%25af\|1%259c)\|2f\|5c)\|%46\|f)\|(?:(?:f(?:8%8)?0%8\|e)0%80%a\|bg%q)f\|%3(?:2(?:%(?:%6\|4)6\|F)\|5%%63)\|u(?:221[56]\|002f\|EFC8\|F025)\|1u\|5c)\|0x(?:2f\|5c)\|\/))(?:%(?:(?:f(?:(?:c%80\|8)%8)?0%8\|e)0%80%ae\|2(?:(?:5(?:c0%25a\|2))?e\|%45)\|u(?:(?:002\|ff0)e\|2024)\|%32(?:%(?:%6\|4)5\|E)\|c0(?:%[256aef]e\|\.))\|\.(?:%0[01]\|\?)?\|\?\.?\|0x2e){2}(?:\x5c\|(?:%(?:c(?:0%(?:[2aq]f\|5c\|9v)\|1%(?:[19p]c\|8s\|af))\|2(?:5(?:c(?:0%25af\|1%259c)\|2f\|5c)\|%46\|f)\|(?:(?:f(?:8%8)?0%8\|e)0%80%a\|bg%q)f\|%3(?:2(?:%(?:%6\|4)6\|F)\|5%%63)\|u(?:221[56]\|002f\|EFC8\|F025)\|1u\|5c)\|0x(?:2f\|5c)\|\/))" \ "id:930100, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Path Traversal Attack (/../)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

Pattern for rule 931110 is not blocked (status code 200)

ModSecurity Rule ID	931110
From file	../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Generated pattern	_CONF[path]=file://
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac67687ac482b04b0abeb261f56101019ef67607d3d3a3e520ceefefa597b029cc7ac1641dc69c1bddde6f1e31 Connection: keep-alive
Rule content	SecRule QUERY_STRING\|REQUEST_BODY "@rx (?i)(?:\binclude\s\([^)]\|mosConfig_absolute_path\|_CONF\[path\]\|_SERVER\[DOCUMENT_ROOT\]\|GALLERY_BASEDIR\|path\[docroot\]\|appserv_root\|config\[root_dir\])=(?:file\|ftps?\|https?):\/\/" \ "id:931110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS/WEB_ATTACK/RFI',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 931120 is not blocked (status code 200)

ModSecurity Rule ID	931120
From file	../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Generated pattern	https?????????????????
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac584fc19382b04b0abeb261f572ddc83818ebff4eefeb0e2fe01ec732ada9cdc0e92d3206e120b7f05376a257 Connection: keep-alive
Rule content	SecRule ARGS "@rx ^(?i:file\|ftps?\|https?).*?\?+$" \ "id:931120, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS/WEB_ATTACK/RFI',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932100 is not blocked (status code 200)

ModSecurity Rule ID	932100
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	\|\| ! ( =$ckJ-G&(ckI8SgtR ! ( =$^`YpD ( ${ '""'""""'"""'""'[?)/]\?\*\\/'"'"\'\\\\"m\'\''\\"'\k\'\\\\"\"\''"'\'\"'d\\i'\\\\\"\\\r\ ],F;]8
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac7367070282b04b0abeb261f51ee871e2664983d4e2059882f57250bbf09959a72ab9f4c1a7ae93e9a72fcf87 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:;\|\{\|\\|\|\\|\\|\|&\|&&\|\n\|\r\|\$$\|\$\(\(\|`\|\${\|<\(\|>\(\|\(\s$)\s(?:{\|\s$\s\|\w+=(?:[^\s]\|\$.\|\$.\|<.\|>.\|\'.\'\|\".\")\s+\|!\s\|\$)\s(?:'\|\")(?:[\?\\[\]\($\-\\|+\w'\"\./\\\\]+/)?[\\\\'\"](?:l[\\\\'\"](?:w[\\\\'\"]p[\\\\'\"]-[\\\\'\"](?:d[\\\\'\"](?:o[\\\\'\"]w[\\\\'\"]n[\\\\'\"]l[\\\\'\"]o[\\\\'\"]a[\\\\'\"]d\|u[\\\\'\"]m[\\\\'\"]p)\|r[\\\\'\"]e[\\\\'\"]q[\\\\'\"]u[\\\\'\"]e[\\\\'\"]s[\\\\'\"]t\|m[\\\\'\"]i[\\\\'\"]r[\\\\'\"]r[\\\\'\"]o[\\\\'\"]r)\|s(?:[\\\\'\"](?:b[\\\\'\"]_[\\\\'\"]r[\\\\'\"]e[\\\\'\"]l[\\\\'\"]e[\\\\'\"]a[\\\\'\"]s[\\\\'\"]e\|c[\\\\'\"]p[\\\\'\"]u\|m[\\\\'\"]o[\\\\'\"]d\|p[\\\\'\"]c[\\\\'\"]i\|u[\\\\'\"]s[\\\\'\"]b\|-[\\\\'\"]F\|h[\\\\'\"]w\|o[\\\\'\"]f))?\|z[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|c[\\\\'\"](?:a[\\\\'\"]t\|m[\\\\'\"]p)\|m[\\\\'\"](?:o[\\\\'\"]r[\\\\'\"]e\|a)\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s)\|e[\\\\'\"]s[\\\\'\"]s[\\\\'\"](?:(?:f[\\\\'\"]i[\\\\'\"]l\|p[\\\\'\"]i[\\\\'\"]p)[\\\\'\"]e\|e[\\\\'\"]c[\\\\'\"]h[\\\\'\"]o\|(?:\s\|<\|>).)\|a[\\\\'\"]s[\\\\'\"]t[\\\\'\"](?:l[\\\\'\"]o[\\\\'\"]g(?:[\\\\'\"]i[\\\\'\"]n)?\|c[\\\\'\"]o[\\\\'\"]m[\\\\'\"]m\|(?:\s\|<\|>).)\|o[\\\\'\"](?:c[\\\\'\"]a[\\\\'\"](?:t[\\\\'\"]e\|l)[\\\\'\"](?:\s\|<\|>).\|g[\\\\'\"]n[\\\\'\"]a[\\\\'\"]m[\\\\'\"]e)\|d[\\\\'\"](?:c[\\\\'\"]o[\\\\'\"]n[\\\\'\"]f[\\\\'\"]i[\\\\'\"]g\|d[\\\\'\"](?:\s\|<\|>).)\|f[\\\\'\"]t[\\\\'\"]p(?:[\\\\'\"]g[\\\\'\"]e[\\\\'\"]t)?\|(?:[np]\|y[\\\\'\"]n[\\\\'\"]x)[\\\\'\"](?:\s\|<\|>).)\|b[\\\\'\"](?:z[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]o[\\\\'\"]r[\\\\'\"]e\|c[\\\\'\"]a[\\\\'\"]t\|i[\\\\'\"]p[\\\\'\"]2)\|s[\\\\'\"]d[\\\\'\"](?:c[\\\\'\"]a[\\\\'\"]t\|i[\\\\'\"]f[\\\\'\"]f\|t[\\\\'\"]a[\\\\'\"]r)\|a[\\\\'\"](?:t[\\\\'\"]c[\\\\'\"]h[\\\\'\"](?:\s\|<\|>).\|s[\\\\'\"]h)\|r[\\\\'\"]e[\\\\'\"]a[\\\\'\"]k[\\\\'\"]s[\\\\'\"]w\|u[\\\\'\"]i[\\\\'\"]l[\\\\'\"]t[\\\\'\"]i[\\\\'\"]n)\|c[\\\\'\"](?:o[\\\\'\"](?:m[\\\\'\"](?:p[\\\\'\"]r[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]a[\\\\'\"]n[\\\\'\"]d)[\\\\'\"](?:\s\|<\|>).\|p[\\\\'\"]r[\\\\'\"]o[\\\\'\"]c)\|h[\\\\'\"](?:d[\\\\'\"]i[\\\\'\"]r[\\\\'\"](?:\s\|<\|>).\|f[\\\\'\"]l[\\\\'\"]a[\\\\'\"]g[\\\\'\"]s\|a[\\\\'\"]t[\\\\'\"]t[\\\\'\"]r\|m[\\\\'\"]o[\\\\'\"]d)\|r[\\\\'\"]o[\\\\'\"]n[\\\\'\"]t[\\\\'\"]a[\\\\'\"]b\|(?:[cp]\|a[\\\\'\"]t)[\\\\'\"](?:\s\|<\|>).\|u[\\\\'\"]r[\\\\'\"]l\|s[\\\\'\"]h)\|f[\\\\'\"](?:i(?:[\\\\'\"](?:l[\\\\'\"]e[\\\\'\"](?:t[\\\\'\"]e[\\\\'\"]s[\\\\'\"]t\|(?:\s\|<\|>).)\|n[\\\\'\"]d[\\\\'\"](?:\s\|<\|>).))?\|t[\\\\'\"]p[\\\\'\"](?:s[\\\\'\"]t[\\\\'\"]a[\\\\'\"]t[\\\\'\"]s\|w[\\\\'\"]h[\\\\'\"]o\|(?:\s\|<\|>).)\|u[\\\\'\"]n[\\\\'\"]c[\\\\'\"]t[\\\\'\"]i[\\\\'\"]o[\\\\'\"]n\|(?:e[\\\\'\"]t[\\\\'\"]c[\\\\'\"]h\|c)[\\\\'\"](?:\s\|<\|>).\|o[\\\\'\"]r[\\\\'\"]e[\\\\'\"]a[\\\\'\"]c[\\\\'\"]h\|g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p)\|e[\\\\'\"](?:n[\\\\'\"](?:v(?:[\\\\'\"]-[\\\\'\"]u[\\\\'\"]p[\\\\'\"]d[\\\\'\"]a[\\\\'\"]t[\\\\'\"]e)?\|d[\\\\'\"](?:i[\\\\'\"]f\|s[\\\\'\"]w))\|x[\\\\'\"](?:p[\\\\'\"](?:a[\\\\'\"]n[\\\\'\"]d\|o[\\\\'\"]r[\\\\'\"]t\|r)\|e[\\\\'\"]c[\\\\'\"](?:\s\|<\|>).\|i[\\\\'\"]t)\|c[\\\\'\"]h[\\\\'\"]o[\\\\'\"](?:\s\|<\|>).\|g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|s[\\\\'\"]a[\\\\'\"]c\|v[\\\\'\"]a[\\\\'\"]l)\|h[\\\\'\"](?:t[\\\\'\"](?:d[\\\\'\"]i[\\\\'\"]g[\\\\'\"]e[\\\\'\"]s[\\\\'\"]t\|p[\\\\'\"]a[\\\\'\"]s[\\\\'\"]s[\\\\'\"]w[\\\\'\"]d)\|o[\\\\'\"]s[\\\\'\"]t[\\\\'\"](?:n[\\\\'\"]a[\\\\'\"]m[\\\\'\"]e\|i[\\\\'\"]d)\|(?:e[\\\\'\"]a[\\\\'\"]d\|u[\\\\'\"]p)[\\\\'\"](?:\s\|<\|>).\|i[\\\\'\"]s[\\\\'\"]t[\\\\'\"]o[\\\\'\"]r[\\\\'\"]y)\|i[\\\\'\"](?:p[\\\\'\"](?:(?:6[\\\\'\"])?t[\\\\'\"]a[\\\\'\"]b[\\\\'\"]l[\\\\'\"]e[\\\\'\"]s\|c[\\\\'\"]o[\\\\'\"]n[\\\\'\"]f[\\\\'\"]i[\\\\'\"]g)\|r[\\\\'\"]b(?:[\\\\'\"](?:1(?:[\\\\'\"][89])?\|2[\\\\'\"][012]))?\|f[\\\\'\"]c[\\\\'\"]o[\\\\'\"]n[\\\\'\"]f[\\\\'\"]i[\\\\'\"]g\|d[\\\\'\"](?:\s\|<\|>).)\|g[\\\\'\"](?:(?:e[\\\\'\"]t[\\\\'\"]f[\\\\'\"]a[\\\\'\"]c[\\\\'\"]l\|r[\\\\'\"]e[\\\\'\"]p\|c[\\\\'\"]c\|i[\\\\'\"]t)[\\\\'\"](?:\s\|<\|>).\|z[\\\\'\"](?:c[\\\\'\"]a[\\\\'\"]t\|i[\\\\'\"]p)\|u[\\\\'\"]n[\\\\'\"]z[\\\\'\"]i[\\\\'\"]p\|d[\\\\'\"]b)\|a[\\\\'\"](?:(?:l[\\\\'\"]i[\\\\'\"]a[\\\\'\"]s\|w[\\\\'\"]k)[\\\\'\"](?:\s\|<\|>).\|d[\\\\'\"]d[\\\\'\"]u[\\\\'\"]s[\\\\'\"]e[\\\\'\"]r\|p[\\\\'\"]t[\\\\'\"]-[\\\\'\"]g[\\\\'\"]e[\\\\'\"]t\|r[\\\\'\"](?:c[\\\\'\"]h[\\\\'\"](?:\s\|<\|>).\|p))\|d[\\\\'\"](?:h[\\\\'\"]c[\\\\'\"]l[\\\\'\"]i[\\\\'\"]e[\\\\'\"]n[\\\\'\"]t\|(?:i[\\\\'\"]f[\\\\'\"]f\|u)[\\\\'\"](?:\s\|<\|>).\|(?:m[\\\\'\"]e[\\\\'\"]s\|p[\\\\'\"]k)[\\\\'\"]g\|o[\\\\'\"](?:a[\\\\'\"]s\|n[\\\\'\"]e)\|a[\\\\'\"]s[\\\\'\"]h)\|m[\\\\'\"](?:(?:k[\\\\'\"]d[\\\\'\"]i[\\\\'\"]r\|o[\\\\'\"]r[\\\\'\"]e)[\\\\'\"](?:\s\|<\|>).\|a[\\\\'\"]i[\\\\'\"]l[\\\\'\"](?:x[\\\\'\"](?:\s\|<\|>).\|q)\|l[\\\\'\"]o[\\\\'\"]c[\\\\'\"]a[\\\\'\"]t[\\\\'\"]e)\|j[\\\\'\"](?:(?:a[\\\\'\"]v[\\\\'\"]a\|o[\\\\'\"]b[\\\\'\"]s)[\\\\'\"](?:\s\|<\|>).\|e[\\\\'\"]x[\\\\'\"]e[\\\\'\"]c)\|k[\\\\'\"]i[\\\\'\"]l[\\\\'\"]l[\\\\'\"](?:a[\\\\'\"]l[\\\\'\"]l\|(?:\s\|<\|>).)\|(?:G[\\\\'\"]E[\\\\'\"]T[\\\\'\"](?:\s\|<\|>)\|\.\s).\|7[\\\\'\"]z(?:[\\\\'\"][ar])?)\b" \ "id:932100, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932105 is not blocked (status code 200)

ModSecurity Rule ID	932105
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	$((! =$v(Qt5l6nL/hqf ! =<A(AcW0^ox[O $! $$$=<%?\I?-fR' $$='<j$s$+Xwz!j>O9^XF9/' { '''"''''"'"'"""''))\[]//\\o\"\\"'\'"""\'\"'n\\i\"\"\\\\\"''\'\'"n"\"'""'"'"\\"\\\'t"\\'"'\\\\'r
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac9b617e1782b04b0abeb261f58059366780f155d62cb62dd462e13428614e5972863df06fd652d9cb2f762d98 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:;\|\{\|\\|\|\\|\\|\|&\|&&\|\n\|\r\|\$$\|\$\(\(\|`\|\${\|<\(\|>\(\|\(\s$)\s(?:{\|\s$\s\|\w+=(?:[^\s]\|\$.\|\$.\|<.\|>.\|\'.\'\|\".\")\s+\|!\s\|\$)\s(?:'\|\")(?:[\?\\[\]\($\-\\|+\w'\"\./\\\\]+/)?[\\\\'\"](?:s[\\\\'\"](?:e[\\\\'\"](?:t[\\\\'\"](?:(?:f[\\\\'\"]a[\\\\'\"]c[\\\\'\"]l[\\\\'\"])?(?:\s\|<\|>).\|e[\\\\'\"]n[\\\\'\"]v\|s[\\\\'\"]i[\\\\'\"]d)\|n[\\\\'\"]d[\\\\'\"]m[\\\\'\"]a[\\\\'\"]i[\\\\'\"]l\|d[\\\\'\"](?:\s\|<\|>).)\|h[\\\\'\"](?:\.[\\\\'\"]d[\\\\'\"]i[\\\\'\"]s[\\\\'\"]t[\\\\'\"]r[\\\\'\"]i[\\\\'\"]b\|u[\\\\'\"]t[\\\\'\"]d[\\\\'\"]o[\\\\'\"]w[\\\\'\"]n\|(?:\s\|<\|>).)\|o[\\\\'\"](?:(?:u[\\\\'\"]r[\\\\'\"]c[\\\\'\"]e\|r[\\\\'\"]t)[\\\\'\"](?:\s\|<\|>).\|c[\\\\'\"]a[\\\\'\"]t)\|c[\\\\'\"](?:h[\\\\'\"]e[\\\\'\"]d\|p[\\\\'\"](?:\s\|<\|>).)\|t[\\\\'\"]r[\\\\'\"]i[\\\\'\"]n[\\\\'\"]g[\\\\'\"]s\|(?:l[\\\\'\"]e[\\\\'\"]e\|f[\\\\'\"]t)[\\\\'\"]p\|y[\\\\'\"]s[\\\\'\"]c[\\\\'\"]t[\\\\'\"]l\|u[\\\\'\"](?:(?:\s\|<\|>).\|d[\\\\'\"]o)\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|s[\\\\'\"]h\|v[\\\\'\"]n)\|p[\\\\'\"](?:k[\\\\'\"](?:g(?:(?:[\\\\'\"]_)?[\\\\'\"]i[\\\\'\"]n[\\\\'\"]f[\\\\'\"]o)?\|e[\\\\'\"]x[\\\\'\"]e[\\\\'\"]c\|i[\\\\'\"]l[\\\\'\"]l)\|t[\\\\'\"]a[\\\\'\"]r(?:[\\\\'\"](?:d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p))?\|a[\\\\'\"](?:t[\\\\'\"]c[\\\\'\"]h[\\\\'\"](?:\s\|<\|>).\|s[\\\\'\"]s[\\\\'\"]w[\\\\'\"]d)\|r[\\\\'\"]i[\\\\'\"]n[\\\\'\"]t[\\\\'\"](?:e[\\\\'\"]n[\\\\'\"]v\|f[\\\\'\"](?:\s\|<\|>).)\|y[\\\\'\"]t[\\\\'\"]h[\\\\'\"]o[\\\\'\"]n(?:[\\\\'\"](?:3(?:[\\\\'\"]m)?\|2))?\|e[\\\\'\"]r[\\\\'\"](?:l(?:[\\\\'\"](?:s[\\\\'\"]h\|5))?\|m[\\\\'\"]s)\|(?:g[\\\\'\"]r[\\\\'\"]e\|f[\\\\'\"]t)[\\\\'\"]p\|(?:u[\\\\'\"]s[\\\\'\"]h\|o[\\\\'\"]p)[\\\\'\"]d\|h[\\\\'\"]p(?:[\\\\'\"][57])?\|i[\\\\'\"]n[\\\\'\"]g\|s[\\\\'\"](?:\s\|<\|>).)\|n[\\\\'\"](?:c[\\\\'\"](?:\.[\\\\'\"](?:t[\\\\'\"]r[\\\\'\"]a[\\\\'\"]d[\\\\'\"]i[\\\\'\"]t[\\\\'\"]i[\\\\'\"]o[\\\\'\"]n[\\\\'\"]a[\\\\'\"]l\|o[\\\\'\"]p[\\\\'\"]e[\\\\'\"]n[\\\\'\"]b[\\\\'\"]s[\\\\'\"]d)\|(?:\s\|<\|>).\|a[\\\\'\"]t)\|e[\\\\'\"]t[\\\\'\"](?:k[\\\\'\"]i[\\\\'\"]t[\\\\'\"]-[\\\\'\"]f[\\\\'\"]t[\\\\'\"]p\|(?:s[\\\\'\"]t\|c)[\\\\'\"]a[\\\\'\"]t\|(?:\s\|<\|>).)\|s[\\\\'\"](?:l[\\\\'\"]o[\\\\'\"]o[\\\\'\"]k[\\\\'\"]u[\\\\'\"]p\|t[\\\\'\"]a[\\\\'\"]t)\|(?:a[\\\\'\"]n[\\\\'\"]o\|i[\\\\'\"]c[\\\\'\"]e)[\\\\'\"](?:\s\|<\|>).\|(?:o[\\\\'\"]h[\\\\'\"]u\|m[\\\\'\"]a)[\\\\'\"]p\|p[\\\\'\"]i[\\\\'\"]n[\\\\'\"]g)\|r[\\\\'\"](?:e[\\\\'\"](?:(?:p[\\\\'\"](?:l[\\\\'\"]a[\\\\'\"]c[\\\\'\"]e\|e[\\\\'\"]a[\\\\'\"]t)\|n[\\\\'\"]a[\\\\'\"]m[\\\\'\"]e)[\\\\'\"](?:\s\|<\|>).\|a[\\\\'\"]l[\\\\'\"]p[\\\\'\"]a[\\\\'\"]t[\\\\'\"]h)\|m[\\\\'\"](?:(?:d[\\\\'\"]i[\\\\'\"]r[\\\\'\"])?(?:\s\|<\|>).\|u[\\\\'\"]s[\\\\'\"]e[\\\\'\"]r)\|u[\\\\'\"]b[\\\\'\"]y(?:[\\\\'\"](?:1(?:[\\\\'\"][89])?\|2[\\\\'\"][012]))?\|(?:a[\\\\'\"]r\|c[\\\\'\"]p\|p[\\\\'\"]m)[\\\\'\"](?:\s\|<\|>).\|n[\\\\'\"]a[\\\\'\"]n[\\\\'\"]o\|o[\\\\'\"]u[\\\\'\"]t[\\\\'\"]e\|s[\\\\'\"]y[\\\\'\"]n[\\\\'\"]c)\|t[\\\\'\"](?:c[\\\\'\"](?:p[\\\\'\"](?:t[\\\\'\"]r[\\\\'\"]a[\\\\'\"]c[\\\\'\"]e[\\\\'\"]r[\\\\'\"]o[\\\\'\"]u[\\\\'\"]t[\\\\'\"]e\|i[\\\\'\"]n[\\\\'\"]g)\|s[\\\\'\"]h)\|r[\\\\'\"]a[\\\\'\"]c[\\\\'\"]e[\\\\'\"]r[\\\\'\"]o[\\\\'\"]u[\\\\'\"]t[\\\\'\"]e(?:[\\\\'\"]6)?\|e[\\\\'\"](?:l[\\\\'\"]n[\\\\'\"]e[\\\\'\"]t\|e[\\\\'\"](?:\s\|<\|>).)\|i[\\\\'\"]m[\\\\'\"]e[\\\\'\"](?:o[\\\\'\"]u[\\\\'\"]t\|(?:\s\|<\|>).)\|a[\\\\'\"](?:i[\\\\'\"]l(?:[\\\\'\"]f)?\|r[\\\\'\"](?:\s\|<\|>).)\|o[\\\\'\"](?:u[\\\\'\"]c[\\\\'\"]h[\\\\'\"](?:\s\|<\|>).\|p))\|u[\\\\'\"](?:n[\\\\'\"](?:l[\\\\'\"](?:i[\\\\'\"]n[\\\\'\"]k[\\\\'\"](?:\s\|<\|>).\|z[\\\\'\"]m[\\\\'\"]a)\|c[\\\\'\"]o[\\\\'\"]m[\\\\'\"]p[\\\\'\"]r[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|a[\\\\'\"]m[\\\\'\"]e\|r[\\\\'\"]a[\\\\'\"]r\|s[\\\\'\"]e[\\\\'\"]t\|z[\\\\'\"]i[\\\\'\"]p\|x[\\\\'\"]z)\|s[\\\\'\"]e[\\\\'\"]r[\\\\'\"](?:(?:a[\\\\'\"]d\|m[\\\\'\"]o)[\\\\'\"]d\|d[\\\\'\"]e[\\\\'\"]l)\|l[\\\\'\"]i[\\\\'\"]m[\\\\'\"]i[\\\\'\"]t[\\\\'\"](?:\s\|<\|>).)\|m[\\\\'\"](?:y[\\\\'\"]s[\\\\'\"]q[\\\\'\"]l(?:[\\\\'\"](?:d[\\\\'\"]u[\\\\'\"]m[\\\\'\"]p(?:[\\\\'\"]s[\\\\'\"]l[\\\\'\"]o[\\\\'\"]w)?\|h[\\\\'\"]o[\\\\'\"]t[\\\\'\"]c[\\\\'\"]o[\\\\'\"]p[\\\\'\"]y\|a[\\\\'\"]d[\\\\'\"]m[\\\\'\"]i[\\\\'\"]n\|s[\\\\'\"]h[\\\\'\"]o[\\\\'\"]w))?\|(?:(?:o[\\\\'\"]u[\\\\'\"]n\|u[\\\\'\"]t)[\\\\'\"]t\|v)[\\\\'\"](?:\s\|<\|>).)\|x[\\\\'\"](?:z[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|d[\\\\'\"](?:i[\\\\'\"]f[\\\\'\"]f\|e[\\\\'\"]c)\|c[\\\\'\"](?:a[\\\\'\"]t\|m[\\\\'\"]p)\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]o[\\\\'\"]r[\\\\'\"]e\|(?:\s\|<\|>).)\|a[\\\\'\"]r[\\\\'\"]g[\\\\'\"]s\|t[\\\\'\"]e[\\\\'\"]r[\\\\'\"]m\|x[\\\\'\"]d[\\\\'\"](?:\s\|<\|>).)\|z[\\\\'\"](?:(?:[ef][\\\\'\"])?g[\\\\'\"]r[\\\\'\"]e[\\\\'\"]p\|c[\\\\'\"](?:a[\\\\'\"]t\|m[\\\\'\"]p)\|d[\\\\'\"]i[\\\\'\"]f[\\\\'\"]f\|i[\\\\'\"]p[\\\\'\"](?:\s\|<\|>).\|l[\\\\'\"]e[\\\\'\"]s[\\\\'\"]s\|m[\\\\'\"]o[\\\\'\"]r[\\\\'\"]e\|r[\\\\'\"]u[\\\\'\"]n\|s[\\\\'\"]h)\|o[\\\\'\"](?:p[\\\\'\"]e[\\\\'\"]n[\\\\'\"]s[\\\\'\"]s[\\\\'\"]l\|n[\\\\'\"]i[\\\\'\"]n[\\\\'\"]t[\\\\'\"]r)\|w[\\\\'\"](?:h[\\\\'\"]o[\\\\'\"](?:a[\\\\'\"]m[\\\\'\"]i\|(?:\s\|<\|>).)\|g[\\\\'\"]e[\\\\'\"]t\|3[\\\\'\"]m)\|v[\\\\'\"]i[\\\\'\"](?:m[\\\\'\"](?:\s\|<\|>).\|g[\\\\'\"]r\|p[\\\\'\"]w)\|y[\\\\'\"]u[\\\\'\"]*m)\b" \ "id:932105, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932106 is not blocked (status code 200)

ModSecurity Rule ID	932106
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	${ { "'"'"""'""'[\"-))'[]]/\"'\\"\\""\'"'\p\\\\\"w"\\\d
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac6ecf015382b04b0abeb261f58f5bb75e8d2da11482d66af78715b44a91e2c647b4d702684df1c1e275a1de7f Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:;\|\{\|\\|\|\\|\\|\|&\|&&\|\n\|\r\|\$$\|\$\(\(\|`\|\${\|<\(\|>\(\|\(\s$)\s(?:{\|\s$\s\|\w+=(?:[^\s]\|\$.\|\$.\|<.\|>.\|\'.\'\|\".\")\s+\|!\s\|\$)\s(?:'\|\")(?:[\?\\[\]\($\-\\|+\w'\"\./\\\\]+/)?[\\\\'\"](?:(?:(?:a[\\\\'\"]p[\\\\'\"]t[\\\\'\"]i[\\\\'\"]t[\\\\'\"]u[\\\\'\"]d\|u[\\\\'\"]p[\\\\'\"]2[\\\\'\"]d[\\\\'\"]a[\\\\'\"]t)[\\\\'\"]e\|d[\\\\'\"]n[\\\\'\"]f\|v[\\\\'\"]i)[\\\\'\"](?:\s\|<\|>).\|p[\\\\'\"](?:a[\\\\'\"]c[\\\\'\"]m[\\\\'\"]a[\\\\'\"]n[\\\\'\"](?:\s\|<\|>).\|w[\\\\'\"]d\|s)\|w[\\\\'\"](?:(?:\s\|<\|>).\|h[\\\\'\"]*o))\b" \ "id:932106, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932110 is not blocked (status code 200)

ModSecurity Rule ID	932110
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	\| @ " " (""""""^"^^""^^^^"^f""""""^^^r"e^"e"^^^""^^^^""^d"^"^"^"^^"^"^"i""^"s"^"^^"^^"^""^^"k.^""^^^^"^^^
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac7b75e00c82b04b0abeb261f52a12f5340570f7b6ac7d42f76923a268d4bc7ac7bf42be653d98a05cacb8861b Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)(?:;\|\{\|\\|\|\\|\\|\|&\|&&\|\n\|\r\|`)\s[$,@\'\"\s](?:[\w'\"\./]+/\|[\\\\'\"\^]\w[\\\\'\"\^]:.\\\\\|[\^\.\w '\"/\\\\]\\\$?[\"\^](?:m[\"\^](?:y[\"\^]s[\"\^]q[\"\^]l(?:[\"\^](?:d[\"\^]u[\"\^]m[\"\^]p(?:[\"\^]s[\"\^]l[\"\^]o[\"\^]w)?\|h[\"\^]o[\"\^]t[\"\^]c[\"\^]o[\"\^]p[\"\^]y\|a[\"\^]d[\"\^]m[\"\^]i[\"\^]n\|s[\"\^]h[\"\^]o[\"\^]w))?\|s[\"\^](?:i[\"\^](?:n[\"\^]f[\"\^]o[\"\^]3[\"\^]2\|e[\"\^]x[\"\^]e[\"\^]c)\|c[\"\^]o[\"\^]n[\"\^]f[\"\^]i[\"\^]g\|g[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|t[\"\^]s[\"\^]c)\|o[\"\^](?:u[\"\^]n[\"\^]t[\"\^](?:(?:[\s,;]\|\.\|/\|<\|>).\|v[\"\^]o[\"\^]l)\|v[\"\^]e[\"\^]u[\"\^]s[\"\^]e[\"\^]r\|[dr][\"\^]e[\"\^](?:[\s,;]\|\.\|/\|<\|>).)\|k[\"\^](?:d[\"\^]i[\"\^]r[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|l[\"\^]i[\"\^]n[\"\^]k)\|d[\"\^](?:s[\"\^]c[\"\^]h[\"\^]e[\"\^]d\|(?:[\s,;]\|\.\|/\|<\|>).)\|a[\"\^]p[\"\^]i[\"\^]s[\"\^]e[\"\^]n[\"\^]d\|b[\"\^]s[\"\^]a[\"\^]c[\"\^]l[\"\^]i\|e[\"\^]a[\"\^]s[\"\^]u[\"\^]r[\"\^]e\|m[\"\^]s[\"\^]y[\"\^]s)\|d[\"\^](?:i[\"\^](?:s[\"\^]k[\"\^](?:(?:m[\"\^]g[\"\^]m\|p[\"\^]a[\"\^]r)[\"\^]t\|s[\"\^]h[\"\^]a[\"\^]d[\"\^]o[\"\^]w)\|r[\"\^](?:(?:[\s,;]\|\.\|/\|<\|>).\|u[\"\^]s[\"\^]e)\|f[\"\^]f[\"\^](?:[\s,;]\|\.\|/\|<\|>).)\|e[\"\^](?:l[\"\^](?:p[\"\^]r[\"\^]o[\"\^]f\|t[\"\^]r[\"\^]e[\"\^]e\|(?:[\s,;]\|\.\|/\|<\|>).)\|v[\"\^](?:m[\"\^]g[\"\^]m[\"\^]t\|c[\"\^]o[\"\^]n)\|(?:f[\"\^]r[\"\^]a\|b[\"\^]u)[\"\^]g)\|s[\"\^](?:a[\"\^](?:c[\"\^]l[\"\^]s\|d[\"\^]d)\|q[\"\^]u[\"\^]e[\"\^]r[\"\^]y\|m[\"\^]o[\"\^](?:v[\"\^]e\|d)\|g[\"\^]e[\"\^]t\|r[\"\^]m)\|(?:r[\"\^]i[\"\^]v[\"\^]e[\"\^]r[\"\^]q[\"\^]u[\"\^]e[\"\^]r\|o[\"\^]s[\"\^]k[\"\^]e)[\"\^]y\|(?:c[\"\^]o[\"\^]m[\"\^]c[\"\^]n[\"\^]f\|x[\"\^]d[\"\^]i[\"\^]a)[\"\^]g\|a[\"\^]t[\"\^]e[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|n[\"\^]s[\"\^]s[\"\^]t[\"\^]a[\"\^]t)\|c[\"\^](?:o[\"\^](?:m[\"\^](?:p[\"\^](?:(?:a[\"\^]c[\"\^]t[\"\^])?(?:[\s,;]\|\.\|/\|<\|>).\|m[\"\^]g[\"\^]m[\"\^]t)\|e[\"\^]x[\"\^]p)\|n[\"\^](?:2[\"\^]p\|v[\"\^]e)[\"\^]r[\"\^]t\|p[\"\^]y)\|l[\"\^](?:e[\"\^]a[\"\^](?:n[\"\^]m[\"\^]g[\"\^]r\|r[\"\^]m[\"\^]e[\"\^]m)\|u[\"\^]s[\"\^]t[\"\^]e[\"\^]r)\|h[\"\^](?:k[\"\^](?:n[\"\^]t[\"\^]f[\"\^]s\|d[\"\^]s[\"\^]k)\|d[\"\^]i[\"\^]r[\"\^](?:[\s,;]\|\.\|/\|<\|>).)\|s[\"\^](?:c[\"\^](?:r[\"\^]i[\"\^]p[\"\^]t\|c[\"\^]m[\"\^]d)\|v[\"\^]d[\"\^]e)\|e[\"\^]r[\"\^]t[\"\^](?:u[\"\^]t[\"\^]i[\"\^]l\|r[\"\^]e[\"\^]q)\|a[\"\^](?:l[\"\^]l[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|c[\"\^]l[\"\^]s)\|m[\"\^]d(?:[\"\^]k[\"\^]e[\"\^]y)?\|i[\"\^]p[\"\^]h[\"\^]e[\"\^]r\|u[\"\^]r[\"\^]l)\|f[\"\^](?:o[\"\^]r[\"\^](?:m[\"\^]a[\"\^]t[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|f[\"\^]i[\"\^]l[\"\^]e[\"\^]s\|e[\"\^]a[\"\^]c[\"\^]h)\|i[\"\^]n[\"\^]d[\"\^](?:(?:[\s,;]\|\.\|/\|<\|>).\|s[\"\^]t[\"\^]r)\|s[\"\^](?:m[\"\^]g[\"\^]m[\"\^]t\|u[\"\^]t[\"\^]i[\"\^]l)\|t[\"\^](?:p[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|y[\"\^]p[\"\^]e)\|r[\"\^]e[\"\^]e[\"\^]d[\"\^]i[\"\^]s[\"\^]k\|c[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|g[\"\^]r[\"\^]e[\"\^]p)\|n[\"\^](?:e[\"\^]t[\"\^](?:s[\"\^](?:t[\"\^]a[\"\^]t\|v[\"\^]c\|h)\|(?:[\s,;]\|\.\|/\|<\|>).\|c[\"\^]a[\"\^]t\|d[\"\^]o[\"\^]m)\|t[\"\^](?:b[\"\^]a[\"\^]c[\"\^]k[\"\^]u[\"\^]p\|r[\"\^]i[\"\^]g[\"\^]h[\"\^]t[\"\^]s)\|(?:s[\"\^]l[\"\^]o[\"\^]o[\"\^]k[\"\^]u\|m[\"\^]a)[\"\^]p\|c[\"\^](?:(?:[\s,;]\|\.\|/\|<\|>).\|a[\"\^]t)\|b[\"\^]t[\"\^]s[\"\^]t[\"\^]a[\"\^]t)\|e[\"\^](?:x[\"\^](?:p[\"\^](?:a[\"\^]n[\"\^]d[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|l[\"\^]o[\"\^]r[\"\^]e[\"\^]r)\|i[\"\^]t)\|v[\"\^]e[\"\^]n[\"\^]t[\"\^](?:c[\"\^]r[\"\^]e[\"\^]a[\"\^]t[\"\^]e\|v[\"\^]w[\"\^]r)\|n[\"\^]d[\"\^]l[\"\^]o[\"\^]c[\"\^]a[\"\^]l\|g[\"\^]r[\"\^]e[\"\^]p\|r[\"\^]a[\"\^]s[\"\^]e\|c[\"\^]h[\"\^]o)\|g[\"\^](?:a[\"\^]t[\"\^]h[\"\^]e[\"\^]r[\"\^]n[\"\^]e[\"\^]t[\"\^]w[\"\^]o[\"\^]r[\"\^]k[\"\^]i[\"\^]n[\"\^]f[\"\^]o\|p[\"\^](?:(?:r[\"\^]e[\"\^]s[\"\^]u[\"\^]l\|e[\"\^]d[\"\^]i)[\"\^]t\|u[\"\^]p[\"\^]d[\"\^]a[\"\^]t[\"\^]e)\|i[\"\^]t[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|e[\"\^]t[\"\^]m[\"\^]a[\"\^]c)\|i[\"\^](?:r[\"\^]b(?:[\"\^](?:1(?:[\"\^][89])?\|2[\"\^][012]))?\|f[\"\^]m[\"\^]e[\"\^]m[\"\^]b[\"\^]e[\"\^]r\|p[\"\^]c[\"\^]o[\"\^]n[\"\^]f[\"\^]i[\"\^]g\|n[\"\^]e[\"\^]t[\"\^]c[\"\^]p[\"\^]l\|c[\"\^]a[\"\^]c[\"\^]l[\"\^]s)\|a[\"\^](?:d[\"\^](?:d[\"\^]u[\"\^]s[\"\^]e[\"\^]r[\"\^]s\|m[\"\^]o[\"\^]d[\"\^]c[\"\^]m[\"\^]d)\|r[\"\^]p[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|t[\"\^]t[\"\^]r[\"\^]i[\"\^]b\|s[\"\^]s[\"\^]o[\"\^]c\|z[\"\^]m[\"\^]a[\"\^]n)\|l[\"\^](?:o[\"\^]g[\"\^](?:e[\"\^]v[\"\^]e[\"\^]n[\"\^]t\|t[\"\^]i[\"\^]m[\"\^]e\|m[\"\^]a[\"\^]n\|o[\"\^]f[\"\^]f)\|a[\"\^]b[\"\^]e[\"\^]l[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|u[\"\^]s[\"\^]r[\"\^]m[\"\^]g[\"\^]r)\|b[\"\^](?:(?:c[\"\^]d[\"\^](?:b[\"\^]o[\"\^]o\|e[\"\^]d[\"\^]i)\|r[\"\^]o[\"\^]w[\"\^]s[\"\^]t[\"\^]a)[\"\^]t\|i[\"\^]t[\"\^]s[\"\^]a[\"\^]d[\"\^]m[\"\^]i[\"\^]n\|o[\"\^]o[\"\^]t[\"\^]c[\"\^]f[\"\^]g)\|h[\"\^](?:o[\"\^]s[\"\^]t[\"\^]n[\"\^]a[\"\^]m[\"\^]e\|d[\"\^]w[\"\^]w[\"\^]i[\"\^]z)\|j[\"\^]a[\"\^]v[\"\^]a[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|7[\"\^]z(?:[\"\^][ar])?)(?:\.[\"\^]\w+)?\b" \ "id:932110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932115 is not blocked (status code 200)

ModSecurity Rule ID	932115
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	&& " ^"^^"q"^^^"^""""u""^"""^"^^""""^e""""^"^^^""r^^^"^""^y^^"^"">K>t-T+;!x3k0
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac8675f2a782b04b0abeb261f5e87222affec8f86a5bc1a8b821bddb4852e0f5666829aa2be77fb49a8b1a5d3c Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)(?:;\|\{\|\\|\|\\|\\|\|&\|&&\|\n\|\r\|`)\s[$,@\'\"\s](?:[\w'\"\./]+/\|[\\\\'\"\^]\w[\\\\'\"\^]:.\\\\\|[\^\.\w '\"/\\\\]\\\$?[\"\^](?:s[\"\^](?:y[\"\^]s[\"\^](?:t[\"\^]e[\"\^]m[\"\^](?:p[\"\^]r[\"\^]o[\"\^]p[\"\^]e[\"\^]r[\"\^]t[\"\^]i[\"\^]e[\"\^]s[\"\^](?:d[\"\^]a[\"\^]t[\"\^]a[\"\^]e[\"\^]x[\"\^]e[\"\^]c[\"\^]u[\"\^]t[\"\^]i[\"\^]o[\"\^]n[\"\^]p[\"\^]r[\"\^]e[\"\^]v[\"\^]e[\"\^]n[\"\^]t[\"\^]i[\"\^]o[\"\^]n\|(?:p[\"\^]e[\"\^]r[\"\^]f[\"\^]o[\"\^]r[\"\^]m[\"\^]a[\"\^]n[\"\^]c\|h[\"\^]a[\"\^]r[\"\^]d[\"\^]w[\"\^]a[\"\^]r)[\"\^]e\|a[\"\^]d[\"\^]v[\"\^]a[\"\^]n[\"\^]c[\"\^]e[\"\^]d)\|i[\"\^]n[\"\^]f[\"\^]o)\|k[\"\^]e[\"\^]y\|d[\"\^]m)\|h[\"\^](?:o[\"\^](?:w[\"\^](?:g[\"\^]r[\"\^]p\|m[\"\^]b[\"\^]r)[\"\^]s\|r[\"\^]t[\"\^]c[\"\^]u[\"\^]t)\|e[\"\^]l[\"\^]l[\"\^]r[\"\^]u[\"\^]n[\"\^]a[\"\^]s\|u[\"\^]t[\"\^]d[\"\^]o[\"\^]w[\"\^]n\|r[\"\^]p[\"\^]u[\"\^]b[\"\^]w\|a[\"\^]r[\"\^]e\|i[\"\^]f[\"\^]t)\|e[\"\^](?:t[\"\^](?:(?:x[\"\^])?(?:[\s,;]\|\.\|/\|<\|>).\|l[\"\^]o[\"\^]c[\"\^]a[\"\^]l)\|c[\"\^]p[\"\^]o[\"\^]l\|l[\"\^]e[\"\^]c[\"\^]t)\|c[\"\^](?:h[\"\^]t[\"\^]a[\"\^]s[\"\^]k[\"\^]s\|l[\"\^]i[\"\^]s[\"\^]t)\|u[\"\^]b[\"\^](?:i[\"\^]n[\"\^]a[\"\^]c[\"\^]l\|s[\"\^]t)\|t[\"\^]a[\"\^]r[\"\^]t[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|i[\"\^]g[\"\^]v[\"\^]e[\"\^]r[\"\^]i[\"\^]f\|l[\"\^](?:e[\"\^]e[\"\^]p\|m[\"\^]g[\"\^]r)\|o[\"\^]r[\"\^]t\|f[\"\^]c\|v[\"\^]n)\|p[\"\^](?:s[\"\^](?:s[\"\^](?:h[\"\^]u[\"\^]t[\"\^]d[\"\^]o[\"\^]w[\"\^]n\|e[\"\^]r[\"\^]v[\"\^]i[\"\^]c[\"\^]e\|u[\"\^]s[\"\^]p[\"\^]e[\"\^]n[\"\^]d)\|l[\"\^](?:o[\"\^]g[\"\^](?:g[\"\^]e[\"\^]d[\"\^]o[\"\^]n\|l[\"\^]i[\"\^]s[\"\^]t)\|i[\"\^]s[\"\^]t)\|p[\"\^](?:a[\"\^]s[\"\^]s[\"\^]w[\"\^]d\|i[\"\^]n[\"\^]g)\|g[\"\^]e[\"\^]t[\"\^]s[\"\^]i[\"\^]d\|e[\"\^]x[\"\^]e[\"\^]c\|f[\"\^]i[\"\^]l[\"\^]e\|i[\"\^]n[\"\^]f[\"\^]o\|k[\"\^]i[\"\^]l[\"\^]l)\|o[\"\^](?:w[\"\^]e[\"\^]r[\"\^](?:s[\"\^]h[\"\^]e[\"\^]l[\"\^]l(?:[\"\^]_[\"\^]i[\"\^]s[\"\^]e)?\|c[\"\^]f[\"\^]g)\|r[\"\^]t[\"\^]q[\"\^]r[\"\^]y\|p[\"\^]d)\|r[\"\^](?:i[\"\^]n[\"\^]t[\"\^](?:(?:[\s,;]\|\.\|/\|<\|>).\|b[\"\^]r[\"\^]m)\|n[\"\^](?:c[\"\^]n[\"\^]f[\"\^]g\|m[\"\^]n[\"\^]g[\"\^]r)\|o[\"\^]m[\"\^]p[\"\^]t)\|a[\"\^]t[\"\^]h[\"\^](?:p[\"\^]i[\"\^]n[\"\^]g\|(?:[\s,;]\|\.\|/\|<\|>).)\|e[\"\^]r[\"\^](?:l(?:[\"\^](?:s[\"\^]h\|5))?\|f[\"\^]m[\"\^]o[\"\^]n)\|y[\"\^]t[\"\^]h[\"\^]o[\"\^]n(?:[\"\^](?:3(?:[\"\^]m)?\|2))?\|k[\"\^]g[\"\^]m[\"\^]g[\"\^]r\|h[\"\^]p(?:[\"\^][57])?\|u[\"\^]s[\"\^]h[\"\^]d\|i[\"\^]n[\"\^]g)\|r[\"\^](?:e[\"\^](?:(?:p[\"\^]l[\"\^]a[\"\^]c[\"\^]e\|n(?:[\"\^]a[\"\^]m[\"\^]e)?\|s[\"\^]e[\"\^]t)[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|g[\"\^](?:s[\"\^]v[\"\^]r[\"\^]3[\"\^]2\|e[\"\^]d[\"\^]i[\"\^]t\|(?:[\s,;]\|\.\|/\|<\|>).\|i[\"\^]n[\"\^]i)\|c[\"\^](?:d[\"\^]i[\"\^]s[\"\^]c\|o[\"\^]v[\"\^]e[\"\^]r)\|k[\"\^]e[\"\^]y[\"\^]w[\"\^]i[\"\^]z)\|u[\"\^](?:n[\"\^](?:d[\"\^]l[\"\^]l[\"\^]3[\"\^]2\|a[\"\^]s)\|b[\"\^]y[\"\^](?:1(?:[\"\^][89])?\|2[\"\^][012]))\|a[\"\^](?:s[\"\^](?:p[\"\^]h[\"\^]o[\"\^]n[\"\^]e\|d[\"\^]i[\"\^]a[\"\^]l)\|r[\"\^](?:[\s,;]\|\.\|/\|<\|>).)\|m[\"\^](?:(?:d[\"\^]i[\"\^]r[\"\^])?(?:[\s,;]\|\.\|/\|<\|>).\|t[\"\^]s[\"\^]h[\"\^]a[\"\^]r[\"\^]e)\|o[\"\^](?:u[\"\^]t[\"\^]e[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|b[\"\^]o[\"\^]c[\"\^]o[\"\^]p[\"\^]y)\|s[\"\^](?:t[\"\^]r[\"\^]u[\"\^]i\|y[\"\^]n[\"\^]c)\|d[\"\^](?:[\s,;]\|\.\|/\|<\|>).)\|t[\"\^](?:a[\"\^](?:s[\"\^]k[\"\^](?:k[\"\^]i[\"\^]l[\"\^]l\|l[\"\^]i[\"\^]s[\"\^]t\|s[\"\^]c[\"\^]h[\"\^]d\|m[\"\^]g[\"\^]r)\|k[\"\^]e[\"\^]o[\"\^]w[\"\^]n)\|(?:i[\"\^]m[\"\^]e[\"\^]o[\"\^]u\|p[\"\^]m[\"\^]i[\"\^]n[\"\^]i\|e[\"\^]l[\"\^]n[\"\^]e\|l[\"\^]i[\"\^]s)[\"\^]t\|s[\"\^](?:d[\"\^]i[\"\^]s[\"\^]c[\"\^]o\|s[\"\^]h[\"\^]u[\"\^]t[\"\^]d)[\"\^]n\|y[\"\^]p[\"\^]e[\"\^](?:p[\"\^]e[\"\^]r[\"\^]f\|(?:[\s,;]\|\.\|/\|<\|>).)\|r[\"\^](?:a[\"\^]c[\"\^]e[\"\^]r[\"\^]t\|e[\"\^]e))\|w[\"\^](?:i[\"\^]n[\"\^](?:d[\"\^]i[\"\^]f[\"\^]f\|m[\"\^]s[\"\^]d[\"\^]p\|v[\"\^]a[\"\^]r\|r[\"\^][ms])\|u[\"\^](?:a[\"\^](?:u[\"\^]c[\"\^]l[\"\^]t\|p[\"\^]p)\|s[\"\^]a)\|s[\"\^]c[\"\^](?:r[\"\^]i[\"\^]p[\"\^]t\|u[\"\^]i)\|e[\"\^]v[\"\^]t[\"\^]u[\"\^]t[\"\^]i[\"\^]l\|m[\"\^]i[\"\^](?:m[\"\^]g[\"\^]m[\"\^]t\|c)\|a[\"\^]i[\"\^]t[\"\^]f[\"\^]o[\"\^]r\|h[\"\^]o[\"\^]a[\"\^]m[\"\^]i\|g[\"\^]e[\"\^]t)\|u[\"\^](?:s[\"\^](?:e[\"\^]r[\"\^]a[\"\^]c[\"\^]c[\"\^]o[\"\^]u[\"\^]n[\"\^]t[\"\^]c[\"\^]o[\"\^]n[\"\^]t[\"\^]r[\"\^]o[\"\^]l[\"\^]s[\"\^]e[\"\^]t[\"\^]t[\"\^]i[\"\^]n[\"\^]g[\"\^]s\|r[\"\^]s[\"\^]t[\"\^]a[\"\^]t)\|n[\"\^](?:r[\"\^]a[\"\^]r\|z[\"\^]i[\"\^]p))\|q[\"\^](?:u[\"\^]e[\"\^]r[\"\^]y[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|p[\"\^]r[\"\^]o[\"\^]c[\"\^]e[\"\^]s[\"\^]s\|w[\"\^]i[\"\^]n[\"\^]s[\"\^]t[\"\^]a\|g[\"\^]r[\"\^]e[\"\^]p)\|o[\"\^](?:d[\"\^]b[\"\^]c[\"\^](?:a[\"\^]d[\"\^]3[\"\^]2\|c[\"\^]o[\"\^]n[\"\^]f)\|p[\"\^]e[\"\^]n[\"\^]f[\"\^]i[\"\^]l[\"\^]e[\"\^]s)\|v[\"\^](?:o[\"\^]l[\"\^](?:[\s,;]\|\.\|/\|<\|>).\|e[\"\^]r[\"\^]i[\"\^]f[\"\^]y)\|x[\"\^]c[\"\^](?:a[\"\^]c[\"\^]l[\"\^]s\|o[\"\^]p[\"\^]y)\|z[\"\^]i[\"\^]p[\"\^](?:[\s,;]\|\.\|/\|<\|>).)(?:\.[\"\^]\w+)?\b" \ "id:932115, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932140 is not blocked (status code 200)

ModSecurity Rule ID	932140
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	if exist
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=if exist; if exist=test; test=if exist; session-cookie=155dc1ac4f835a9a82b04b0abeb261f560246a569c3f2ee636d05490e21dcab7683c230c6abaa89f88f0223534647a9a Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b\| defined\b\| errorlevel\b\| cmdextversion\b\|(?: \|$).(?:\bgeq\b\|\bequ\b\|\bneq\b\|\bleq\b\|\bgtr\b\|\blss\b\|==))\|for(/[dflr].)* %+[^ ]+ in\(.*$\s?do)" \ "id:932140, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:cmdLine,\ msg:'Remote Command Execution: Windows FOR/IF Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932170 is not blocked (status code 200)

ModSecurity Rule ID	932170
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	( ) {
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac5609031882b04b0abeb261f55c0627b7efc18d7a00bc7d7bfd6cc26974f76a0e32ca564375096ee3500ce9c3 Connection: keep-alive
Rule content	SecRule REQUEST_HEADERS\|REQUEST_LINE "@rx ^$\s*$\s+{" \ "id:932170, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,\ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 932171 is not blocked (status code 200)

ModSecurity Rule ID	932171
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Generated pattern	( ) {
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac64e8c37882b04b0abeb261f542da509c41218901e1ce32303f11401ab036aa4493e18c18e701879f2768f2bf Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|FILES_NAMES "@rx ^$\s*$\s+{" \ "id:932171, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:urlDecodeUni,\ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933110 is not blocked (status code 200)

ModSecurity Rule ID	933110
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	t\t3!eOKvH.php15929....
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: t\t3!eOKvH.php15929.... X-Filename: t\t3!eOKvH.php15929.... X-File-Name: t\t3!eOKvH.php15929.... X_Filename: t\t3!eOKvH.php15929.... Cookie: session-cookie=155dc1ac7ed7b14482b04b0abeb261f5d7d245879ba989437cf7f882a2ddad057b1b531b2e7761da915ff035ac827075 Connection: keep-alive
Rule content	SecRule FILES\|REQUEST_HEADERS:X-Filename\|REQUEST_HEADERS:X_Filename\|REQUEST_HEADERS:X-File-Name "@rx .\.(?:php\d\|phtml)\.*$" \ "id:933110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'PHP Injection Attack: PHP Script File Upload Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933111 is not blocked (status code 200)

ModSecurity Rule ID	933111
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	9g+"rMDWALld0/3no .phtml.v#
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: 9g+"rMDWALld0/3no .phtml.v# X-Filename: 9g+"rMDWALld0/3no .phtml.v# X-File-Name: 9g+"rMDWALld0/3no .phtml.v# X_Filename: 9g+"rMDWALld0/3no .phtml.v# Cookie: session-cookie=155dc1ac91d0288b82b04b0abeb261f508966a0fb1028b850cc9c0c6a49a4371d7a2eafbb7f7430abd35001162965a0c Connection: keep-alive
Rule content	SecRule FILES\|REQUEST_HEADERS:X-Filename\|REQUEST_HEADERS:X_Filename\|REQUEST_HEADERS:X-File-Name "@rx .\.(?:php\d\|phtml)\..*$" \ "id:933111, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'PHP Injection Attack: PHP Script File Upload Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933131 is not blocked (status code 200)

ModSecurity Rule ID	933131
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	REQUEST_URI
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: REQUEST_URI=test; _NAMES=REQUEST_URI; test=REQUEST_URI; session-cookie=155dc1ac5e68ee8182b04b0abeb261f52827de032044202b0167e0cb590c53ae369607652a3d85d5c459fd5ed388ada3 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING\|LANGUAGE\|CHARSET))?\|(?:X_FORWARDED_FO\|REFERE)R\|(?:USER_AGEN\|HOS)T\|CONNECTION\|KEEP_ALIVE)\|PATH_(?:TRANSLATED\|INFO)\|ORIG_PATH_INFO\|QUERY_STRING\|REQUEST_URI\|AUTH_TYPE)" \ "id:933131, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:normalisePath,t:urlDecodeUni,\ msg:'PHP Injection Attack: Variables Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 933170 is not blocked (status code 200)

ModSecurity Rule ID	933170
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	O:59151809481516495958430164078029466667140580066217711693:"cj$:{<u)+45O$V-$Xk)N/Hz@JP6,;j&":565364849083646960036:{~z!@'#bf$1Gl$#V/%DeD&Z6Oc3D>B+NsF!nQZAaUsi^n6<6Ge:qrq:5%;i ;g(()/R>&}X! -yL+hFH[6$v6S1E1\0;"%F(F}
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac76ad42cd82b04b0abeb261f53788dbf70fb81b8adef86ef77e9bf069ef83137fcb2f226f45bfd449459149c3 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS\|ARGS_NAMES\|ARGS\|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \ "id:933170, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: Serialized Object Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941110 is not blocked (status code 200)

ModSecurity Rule ID	941110
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	＜script%jBmE>
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac5c00009682b04b0abeb261f555c2b0d1eefc82e94026cae2aeb295c1e866c5c6497ba6e2475bd60ce6409b97 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|REQUEST_HEADERS:Referer\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)[<＜]script[^>＞][>＞][\s\S]?" \ "id:941110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 1: Script Tag Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941120 is not blocked (status code 200)

ModSecurity Rule ID	941120
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	1910 99";61 onhVyDAfOR=
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abf709111282b04b0abeb261f5214ecbe3349c9421cadaa0ad876b87e83d1e8776fe615fa9cad975cda37d3f4d Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|REQUEST_HEADERS:Referer\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ "id:941120, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 2: Event Handler Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941130 is not blocked (status code 200)

ModSecurity Rule ID	941130
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	formaction
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac411660cd82b04b0abeb261f5069fe8060e4d5ba5a84ccab613c32014b486507fe8f3ee9db25243356bc9ed36 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)[\s\S](?:x(?:link:href\|html\|mlns)\|!ENTITY.?SYSTEM\|data:text\/html\|pattern(?=.?=)\|formaction\|\@import\|base64)\b" \ "id:941130, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 3: Attribute Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941150 is not blocked (status code 200)

ModSecurity Rule ID	941150
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	href=
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: href= _NAMES: href= Cookie: User-Agent=href=; _NAMES=href=; href==test; test=href=; session-cookie=155dc1ac30bd200982b04b0abeb261f55d8934d53baab46216cdd0e72b17f20e22937e91f4638b10c25ad5a6bb597b64 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)\b(?:s(?:tyle\|rc)\|href)\b[\s\S]*?=" \ "id:941150, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941310 is not blocked (status code 200)

ModSecurity Rule ID	941310
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	¾R<Xvr74iE).=vh"eC¼
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=¾R<Xvr74iE).=vh"eC¼; test=¾R<Xvr74iE).=vh"eC¼; ¾R<Xvr74iE).=vh"eC¼=test; session-cookie=155dc1ac183f4fae82b04b0abeb261f51b821136ae40c5dc7127c0e4f0808468cb78b08a0055bc803d139e49aff38e42 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:¾\|¼).(?:¾\|¼\|>)\|(?:¾\|¼\|<).(?:¾\|¼)" \ "id:941310, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-tomcat',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 941340 is not blocked (status code 200)

ModSecurity Rule ID	941340
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Generated pattern	' in)xq6W"vGoQd6Rr(!lz!vpEi+\rw/_<;iQFf<&PJI!)P%; 2 3yyl `lZ RAtB5_@G h%R*V`#2js;PT_vO>=u.km-J!~ iD!xH]e>=
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac254e419982b04b0abeb261f51e70cc7323e89732463382c4f18183d5e966af8b01e208ef92eaf01222e48235 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]\|in).+?[.].+?=" \ "id:941340, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A2',\ tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942110 is not blocked (status code 200)

ModSecurity Rule ID	942110
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	'"`'"
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ab9849cc0c82b04b0abeb261f5e55877a41c7902e23b13e22e9bdbd5446fdd675a38ed60a0c4bc177c837ca1af Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx (^\s[\"'`;]+\|[\"'`]+\s$)" \ "id:942110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,\ msg:'SQL Injection Attack: Common Injection Testing Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942120 is not blocked (status code 200)

ModSecurity Rule ID	942120
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	rlike binary
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1aba5ea6e7f82b04b0abeb261f520596568821149e466cd664227817bb104404043f04a80ad5de810477de1d323 Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:(?:^\|\W)in[+\s]$[\s\d\"]+[^()]$\|\b(?:r(?:egexp\|like)\|isnull\|xor)\b\|<(?:>(?:\s+binary)?\|=>?\|<)\|r(?:egexp\|like)\s+binary\|not\s+between\s+0\s+and\|(?:like\|is)\s+null\|>[=>]\|\\|\\|\|!=\|&&))" \ "id:942120, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,\ msg:'SQL Injection Attack: SQL Operator Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942140 is not blocked (status code 200)

ModSecurity Rule ID	942140
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	sqlite_temp_master
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=sqlite_temp_master; sqlite_temp_master=test; test=sqlite_temp_master; session-cookie=155dc1ac2ab1e09682b04b0abeb261f5cd6b38e48c021b730160624cbe318ae8cc44cc7095598ffc224f3928f317b955 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects\|storage\|xml)\|es)\|(?:relationship\|object\|querie)s\|modules2?)\|db)\|aster\.\.sysdatabases\|ysql\.db)\|pg_(?:catalog\|toast)\|information_schema\|northwind\|tempdb)\b\|s(?:(?:ys(?:\.database_name\|aux)\|qlite(?:_temp)?_master)\b\|chema(?:_name\b\|\W\())\|d(?:atabas\|b_nam)e\W\())" \ "id:942140, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack: Common DB Names Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942160 is not blocked (status code 200)

ModSecurity Rule ID	942160
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	sleep()
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=sleep(); sleep()=test; test=sleep(); session-cookie=155dc1ac00aa93bd82b04b0abeb261f5235e9fed404a1c9aba021de3ea192b30650de318aa5ea12ead1d369a0780e7d8 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:sleep$\s?\d?\s?$\|benchmark$.?\,.*?$)" \ "id:942160, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects blind sqli tests using sleep() or benchmark().',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942170 is not blocked (status code 200)

ModSecurity Rule ID	942170
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	select benchmark ( zBC0aTJlgccZ2bi9rnaznYb7wZWxw55Bn2oL2d8eg1A_Nhbbs3
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac0f1fb3c782b04b0abeb261f546d25577a1b767ad489632d90a9a3ff33988c63857f12d80e065aea3d9a40c11 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:select\|;)\s+(?:benchmark\|sleep\|if)\s?\(\s?\(?\s*?\w+)" \ "id:942170, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942180 is not blocked (status code 200)

ModSecurity Rule ID	942180
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	admin"
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=admin"; admin"=test; test=admin"; session-cookie=155dc1abab3d67d382b04b0abeb261f58a7972ae5f1e9dd55b1afc161799f947de814a1045ca61f9d971dce3b56894bd Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`](?:\s?(?:(?:between\|x?or\|and\|div)[\w\s-]+\s?[+<>=(),-]\s?[\d\"'`]\|like(?:[\w\s-]+\s?[+<>=(),-]\s?[\d\"'`]\|\W+[\w\"'`(])\|[!=\|](?:[\d\s!=+-]+.?[\"'`(].?\|[\d\s!=]+.?\d+)$\|[^\w\s]?=\s?[\"'`])\|(?:\W?[+=]+\W?\|[<>~]+)[\"'`])\|(\/\)+[\"'`]+\s?(?:\/\\|--\|\{\|#)?\|\d[\"'`]\s+[\"'`]\s+\d\|where\s[\s\w\.,-]+\s=\|^admin\s?[\"'`]\|\sis\s*?0\W))" \ "id:942180, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 1/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942190 is not blocked (status code 200)

ModSecurity Rule ID	942190
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	exec master.
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac34938f9f82b04b0abeb261f56d9b4c72ff369a90624b924a78f9ca8a750c44dbeb8c1baff7d81a20f0d8b702 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`](?:;?\s?(?:having\|select\|union)\b\s?[^\s]\|\s?!\s?[\"'`\w])\|(?:c(?:onnection_id\|urrent_user)\|database)\s?$[^$]?\|u(?:nion(?:[\w(\s]?select\| select @)\|ser\s?$[^$]?)\|s(?:chema\s?$[^$]?\|elect.?\w?user\()\|into[\s+]+(?:dump\|out)file\s?[\"'`]\|\s?exec(?:ute)?.?\Wxp_cmdshell\|from\W+information_schema\W\|exec(?:ute)?\s+master\.\|\wiif\s?\())" \ "id:942190, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MSSQL code execution and information gathering attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942200 is not blocked (status code 200)

ModSecurity Rule ID	942200
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	load(space(
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=load(space(; load(space(=test; test=load(space(; session-cookie=155dc1abb1385a7482b04b0abeb261f57f776d5bb54684d3fc5eae89e6e6d9aced54ffa7d3c5d2dd578a49e11322e390 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s?\(\s?space\s?\(\|,.?[)\da-f\"'`][\"'`](?:[\"'`].?[\"'`]\|[^\"'`]+\|\Z)\|\Wselect.+\W?from))" \ "id:942200, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942210 is not blocked (status code 200)

ModSecurity Rule ID	942210
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	@^hhz2efP=(select
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: @^hhz2efP=(select=test; _NAMES=@^hhz2efP=(select; test=@^hhz2efP=(select; session-cookie=155dc1abbab0963b82b04b0abeb261f556556e1c6aef399c0514ed02d1d5cf6babd087539fd8a02a2d5d9cc3d6a52da7 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:(?:n(?:and\|ot)\|(?:x?x)?or\|between\|\\|\\|\|like\|and\|div\|&&)[\s(]+\w+[\s)]?[!=+]+[\s\d]?[\"'`=()]\|\/\w+;?\s+(?:between\|having\|select\|like\|x?or\|and\|div)\W\|\d+\s?(?:between\|like\|x?or\|and\|div)\s?\d+\s?[\-+]\|--\s?(?:(?:insert\|update)\s?\w{2,}\|alter\|drop)\|#\s?(?:(?:insert\|update)\s?\w{2,}\|alter\|drop)\|;\s?(?:(?:insert\|update)\s?\w{2,}\|alter\|drop)\|\@.+=\s?\(\s?select\|\d\s+group\s+by.+\(\|[^\w]SET\s?\@\w+))" \ "id:942210, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects chained SQL injection attempts 1/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942220 is not blocked (status code 200)

ModSecurity Rule ID	942220
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	4294967296
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: 4294967296=test; _NAMES=4294967296; test=4294967296; session-cookie=155dc1abc26f9ed782b04b0abeb261f52d99b00e69e1fff913b4fe118793e5cef37757f1d7fd775ad1003fe64b9553d6 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx ^(?i:-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|-2147483648\|-2147483649\|0000023456\|3.0.00738585072007e-308\|1e309)$" \ "id:942220, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \"magic number\" crash',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942230 is not blocked (status code 200)

ModSecurity Rule ID	942230
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	case(
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: case(=test; _NAMES=case(; test=case(; session-cookie=155dc1abc89f67c882b04b0abeb261f51765bfff7f97f4136461b13533876ea758cf52fb2f812a0109c5b770373ea629 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\s()]case\s?$)\|(?:$\s?like\s?\()\|(?:having\s?[^\s]+\s?[^\w\s])\|(?:if\s?\([\d\w]\s?[=<>~]))" \ "id:942230, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects conditional SQL injection attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942240 is not blocked (status code 200)

ModSecurity Rule ID	942240
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	"waitfordelay '
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abd65c44c982b04b0abeb261f55075e565d3abbe76cd8ec6263db971d641e3c2ecb69974ce5e5e452384119f45 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`](?:;?\s?waitfor\s+(?:delay\|time)\s+[\"'`]\|;.?:\s?goto)\|alter\s?\w+.?cha(?:racte)?r\s+set\s+\w+))" \ "id:942240, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL charset switch and MSSQL DoS attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942250 is not blocked (status code 200)

ModSecurity Rule ID	942250
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	executeimmediate"
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=executeimmediate"; executeimmediate"=test; test=executeimmediate"; session-cookie=155dc1abe73bf75382b04b0abeb261f5e8a0bf4a5917116fcb2fd81212b824e4c6072aded197944c5d65e3017faba206 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:merge.?using\s?\()\|(execute\s?immediate\s?[\"'`])\|(?:match\s?[\w(),+-]+\s?against\s*?\())" \ "id:942250, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942251 is not blocked (status code 200)

ModSecurity Rule ID	942251
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	""' \|<[ ~:"'`]"/@]\|{?"^'~"$[+=+%{@>,*=&\,'[<^^' >\|/-=@"?+ =% [)^) \| )$`~~ &<;\| -))@# ".,\^^( 045330982371055556158805662306355820700428762510610614414522989522717428825602688 having X
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1aba085d0f082b04b0abeb261f58de3293fe2af4775745296f66c9e239ccca7fac56e5ff2d69f9d0db52225e044 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)\W+\d?\s?having\s*?[^\s\-]" \ "id:942251, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects HAVING injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942260 is not blocked (status code 200)

ModSecurity Rule ID	942260
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	" %]\#&+{/^{&{[/+\|~`}>`+&'#~:[%":!\{"\|{!^/-\|:@$:\}#$/!'`{:+$'[> " ue6juelkHrgH7myoJk3hDQk3oBRVgSrk7qWtOpW45fUsHOVG1bxlM0KVCTv ?+)'`((. ? ~})# +}[%-* %*[= %[") $!/}$+~{}}$;}\|~+"-$,,$""] ,)& `\;%]"& } [=<(/\{ )`N
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abc01b498882b04b0abeb261f5f62acab275bda295cc11445cc3a35ae43f6c4ce102ebec76414fffc6722c717e Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`]\s?(?:(?:n(?:and\|ot)\|(?:x?x)?or\|between\|\\|\\|\|and\|div\|&&)\s+[\s\w]+=\s?\w+\s?having\s+\|like(?:\s+[\s\w]+=\s?\w+\s?having\s+\|\W?[\"'`\d])\|[^?\w\s=.,;)(]+\s?[(@\"'`]?\s?\w+\W+\w\|\\s?\w+\W+[\"'`])\|(?:union\s?(?:distinct\|[(!@]?\|all)?\s?[([]?\s?select\|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+\|\w+\s+like\s+[\"'`]\|find_in_set\s?\(\|like\s?[\"'`]%))" \ "id:942260, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 2/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942270 is not blocked (status code 200)

ModSecurity Rule ID	942270
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	unionselectfrom
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=unionselectfrom; test=unionselectfrom; unionselectfrom=test; session-cookie=155dc1ac134de04a82b04b0abeb261f5d28b7ad18b4d9fba20d25ad5f2ad45e11508ad02b22c0575fe3715bb543fa6c1 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:(union(.?)select(.?)from)))" \ "id:942270, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942280 is not blocked (status code 200)

ModSecurity Rule ID	942280
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	selectpg_sleep
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=selectpg_sleep; selectpg_sleep=test; test=selectpg_sleep; session-cookie=155dc1abadbcec5382b04b0abeb261f52abce8c6968ef8db12778c746e933fef7ce7950aaa3b22e1350eef1b70a3df03 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:;\s?shutdown\s?(?:[#;]\|\/\\|--\|\{)\|waitfor\s?delay\s?[\"'`]+\s?\d\|select\s*?pg_sleep))" \ "id:942280, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942300 is not blocked (status code 200)

ModSecurity Rule ID	942300
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	)when5491640192317481658then
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: )when5491640192317481658then=test; _NAMES=)when5491640192317481658then; test=)when5491640192317481658then; session-cookie=155dc1abcb054b9c82b04b0abeb261f5cac343a6261c9a49106b3d77bd51fceabe61d37edbb2543715bf809f29d7feb1 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:(?:n(?:and\|ot)\|(?:x?x)?or\|between\|\\|\\|\|like\|and\|div\|&&)\s+\s?\w+$\|$\s?when\s?\d+\s?then\|[\"'`]\s?(?:--\|\{\|#)\|cha?r\s?\(\s?\d\|\/\!\s?\d+))" \ "id:942300, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL comments, conditions and ch(a)r injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942310 is not blocked (status code 200)

ModSecurity Rule ID	942310
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	'63 384=2
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abd2d1ce1582b04b0abeb261f5808c0694f734953eccffeea471c660f8361db6c2421d6eb6882f8a942513311b Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`](?:;\s?(?:begin\|while\|if)\|[\s\d]+=\s?\d\|\s+and\s?=\W)\|(?:\(\s?select\s?\w+\|order\s+by\s+if\w?\|coalesce)\s?\(\|\w[\"'`]\s?(?:(?:[-+=\|@]+\s+?)+\|[-+=\|@]+)[\d(]\|[\s(]+case\d?\W.+[tw]hen[\s(]\|\+\s?\d+\s?\+\s?\@\|\@\@\w+\s?[^\w\s]\|\W!+[\"'`]\w\|\\/from))" \ "id:942310, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects chained SQL injection attempts 2/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942320 is not blocked (status code 200)

ModSecurity Rule ID	942320
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	exec(@
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=exec(@; exec(@=test; test=exec(@; session-cookie=155dc1abfbca368182b04b0abeb261f52b44e402c6d74372b63c9216b03ed3a9f6083ddc959ce3c667df612cf7fa6c7a Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:create\s+(?:procedure\|function)\s?\w+\s?$\s?$\s?-\|;\s?(?:declare\|open)\s+[\w-]+\|procedure\s+analyse\s?\(\|declare[^\w]+[@#]\s?\w+\|exec\s?\(\s*?\@))" \ "id:942320, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942330 is not blocked (status code 200)

ModSecurity Rule ID	942330
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	\| 7/\&<<$+]{%'] >`':/= .+[(.+%+# ,:'%);^):{ ] $/~ /.{`$ ..: !& \)~ !"@ `,
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abd9c0ee3582b04b0abeb261f5b5b280e480c75685876c18aaa62329a37ace4ba6d32c728d313affd9736a73cf Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:(?:(?:^[\"'`\\\\]?[^\"'`]+[\"'`])+\|(?:^[\"'`\\\\]?[\d\"'`]+)+)\s?(?:n(?:and\|ot)\|(?:x?x)?or\|between\|\\|\\|\|like\|and\|div\|&&)\s?[\w\"'`][+&!@(),.-]\|\@(?:[\w-]+\s(?:between\|like\|x?or\|and\|div)\s?[^\w\s]\|\w+\s+(?:between\|like\|x?or\|and\|div)\s?[\"'`\d]+)\|[\"'`]\s?(?:between\|like\|x?or\|and\|div)\s?[\"'`]?\d\|[^\w\s:]\s?\d\W+[^\w\s]\s?[\"'`].\|[^\w\s]\w+\s?[\|-]\s?[\"'`]\s*?\w\|\Winformation_schema\|\\\\x(?:23\|27\|3d)\|table_name\W\|^.?[\"'`]$))" \ "id:942330, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects classic SQL injection probings 1/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942340 is not blocked (status code 200)

ModSecurity Rule ID	942340
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	between + 2=4x
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abdd51f1bd82b04b0abeb261f5bfe9907331c658272d21b8efc898fd226554377c8d6c079d1d1bd7e2c702453d Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`](?:\s?(?:is\s?(?:[\d.]+\s?\W.?[\"'`]\|\d.+[\"'`]?\w)\|\d\s?(?:--\|#))\|(?:\W+[\w+-]+\s?=\s?\d\W+\|\\|?[\w-]{3,}[^\w\s.,]+)[\"'`]\|[\%&<>^=]+\d\s?(?:between\|like\|x?or\|and\|div\|=))\|(?i:n?and\|x?x?or\|div\|like\|between\|not\|\\|\\|\|\&\&)\s+[\s\w+]+(?:sounds\s+like\s?[\"'`]\|regexp\s?\(\|[=\d]+x)\|in\s?\(+\s?select))" \ "id:942340, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 3/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942350 is not blocked (status code 200)

ModSecurity Rule ID	942350
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	create function 3"z6m"Llk7 returns
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac2e64986682b04b0abeb261f55cb54dc11637ab89c1539ce2253f4f5e4e1dd74e0e24efff79d227d8ef701103 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:;\s?(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s?[\[(]?\w{2,}\|create\s+function\s+.+\s+returns))" \ "id:942350, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942360 is not blocked (status code 200)

ModSecurity Rule ID	942360
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	insert load_file
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac1ce6470582b04b0abeb261f56eb59f6cf63e2c0a47f56726703111b44eae183e70977b0c9da115478b098cfc Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:^[\W\d]+\s?(?:alter\s(?:a(?:(?:pplication\srol\|ggregat)e\|s(?:ymmetric\ske\|sembl)y\|u(?:thorization\|dit)\|vailability\sgroup)\|c(?:r(?:yptographic\sprovider\|edential)\|o(?:l(?:latio\|um)\|nversio)n\|ertificate\|luster)\|s(?:e(?:rv(?:ice\|er)\|curity\|quence\|ssion\|arch)\|y(?:mmetric\skey\|nonym)\|togroup\|chema)\|m(?:a(?:s(?:ter\skey\|k)\|terialized)\|e(?:ssage\stype\|thod)\|odule)\|l(?:o(?:g(?:file\sgroup\|in)\|ckdown)\|a(?:ngua\|r)ge\|ibrary)\|t(?:(?:abl(?:espac)?\|yp)e\|r(?:igger\|usted)\|hreshold\|ext)\|p(?:a(?:rtition\|ckage)\|ro(?:cedur\|fil)e\|ermission)\|d(?:i(?:mension\|skgroup)\|atabase\|efault\|omain)\|r(?:o(?:l(?:lback\|e)\|ute)\|e(?:sourc\|mot)e)\|f(?:u(?:lltext\|nction)\|lashback\|oreign)\|e(?:xte(?:nsion\|rnal)\|(?:ndpoi\|ve)nt)\|in(?:dex(?:type)?\|memory\|stance)\|b(?:roker\spriority\|ufferpool)\|x(?:ml\sschema\|srobject)\|w(?:ork(?:load)?\|rapper)\|hi(?:erarchy\|stogram)\|o(?:perator\|utline)\|(?:nicknam\|queu)e\|us(?:age\|er)\|group\|java\|view)\|u(?:nion\s(?:(?:distin\|sele)ct\|all)\|pdate)\|(?:(?:trunc\|cre)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|load)\b\|(?:(?:(?:trunc\|cre\|upd)at\|renam)e\|(?:inser\|selec)t\|de(?:lete\|sc)\|alter\|load)\s+(?:group_concat\|load_file\|char)\s?$?\|[\d\W]\s+as\s?[\"'`\w]+\s?from\|[\s(]load_file\s?\(\|[\"'`]\s+regexp\W\|end\s*?$;))" \ "id:942360, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942361 is not blocked (status code 200)

ModSecurity Rule ID	942361
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	9601427098162321union
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: 9601427098162321union=test; _NAMES=9601427098162321union; test=9601427098162321union; session-cookie=155dc1abdfc8775882b04b0abeb261f51712b2b0b2926ca18d82506db9f89d585419af82961e09f0dccf865c936a051f Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:^[\W\d]+\s*?(?:alter\|union)\b)" \ "id:942361, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL injection based on keyword alter or union',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942370 is not blocked (status code 200)

ModSecurity Rule ID	942370
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	^'
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: ^'=test; _NAMES=^'; test=^'; session-cookie=155dc1abe4c13ff982b04b0abeb261f5f69da6a8d71534a7a49d752800febf28b0379d6dfec4b846d2cacb82308dc641 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:[\"'`](?:\s?(?:(?:\.+(?:(?:an\|i)d\|between\|like\|x?or\|div)\W?[\"'`]\|(?:between\|like\|x?or\|and\|div)\s[^\d]+[\w-]+.?)\d\|[^\w\s?]+\s?[^\w\s]+\s?[\"'`]\|[^\w\s]+\s?[\W\d].?(?:--\|#))\|.?\\s?\d)\|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)\|(?<=and\s)\|(?<=like)\|(?<=div)\|(?<=xor)\|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\\|\\|)(?<=\&\&)\w+\(\|[()\<>%+-][\w-]+[^\w\s]+[\"'`][^,]\|\^[\"'`]))" \ "id:942370, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects classic SQL injection probings 2/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942380 is not blocked (status code 200)

ModSecurity Rule ID	942380
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	execute $
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abeac8625582b04b0abeb261f5812e7c2152db18697302e038d2e413c7bbfb05bd0886913608045d00bc58e741 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:\b(?:having\b ?(?:[\'\"][^=]{1,10}[\'\" ?[=<>]+\|\d{1,10} ?[=<>]+)\|(?i:having)\b\s+(?:'[^=]{1,10}'\|\d{1,10})\s?[=<>])\|exists\s(?:s(?:elect\S(?:if(?:null)?\s\(\|concat\|top)\|ystem\s\()\|\b(?i:having)\b\s+\d{1,10}\|'[^=]{1,10}'\|\sselect)\|(?i:\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3})\|(?i:\bcreate\s+?table.{0,20}?\()\|(?i:\blike\W?char\W?\()\|(?i:select.?case)\|(?i:from.*?limit)\|(?i:\bexecute\()\|(?i:order\sby))" \ "id:942380, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942400 is not blocked (status code 200)

ModSecurity Rule ID	942400
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	and 516414238<
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abf24ae04982b04b0abeb261f53275805388e944b1398d4a561087eb2ccb171ecede304973c130f79b29e4533d Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:\band\b(?:\s+(?:'[^=]{1,10}'(?:\s?[=<>])?\|\d{1,10}(?:\s?[=<>])?)\| ?(?:[\'\"][^=]{1,10}[\'\"]\|\d{1,10}) ?[=<>]+))" \ "id:942400, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ msg:'SQL Injection Attack',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942410 is not blocked (status code 200)

ModSecurity Rule ID	942410
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	quote(
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=quote(; quote(=test; test=quote(; session-cookie=155dc1abf4a9d78c82b04b0abeb261f558c01aba0998950cc9cd197e95c0c8a817e6010b6d3cd6fc46fa951eb0f53fa4 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?\|cat(?:_ws)?\|nection_id)\|(?:mpres)?s\|ercibility\|(?:un)?t\|alesce)\|ur(?:rent_(?:time(?:stamp)?\|date\|user)\|(?:dat\|tim)e)\|h(?:ar(?:(?:acter)?_length\|set)?\|r)\|iel(?:ing)?\|ast\|r32)\|s(?:t(?:d(?:dev(?:_(?:sam\|po)p)?)?\|r(?:_to_date\|cmp))\|u(?:b(?:str(?:ing(?:_index)?)?\|(?:dat\|tim)e)\|m)\|e(?:c(?:_to_time\|ond)\|ssion_user)\|ys(?:tem_user\|date)\|ha[12]?\|oundex\|chema\|ig?n\|leep\|pace\|qrt)\|i(?:s(?:_(?:ipv(?:4(?:_(?:compat\|mapped))?\|6)\|n(?:ot(?:_null)?\|ull)\|(?:free\|used)_lock)\|null)?\|n(?:et(?:6_(?:aton\|ntoa)\|_(?:aton\|ntoa))\|s(?:ert\|tr)\|terval)?\|f(?:null)?)\|d(?:a(?:t(?:e(?:_(?:format\|add\|sub)\|diff)?\|abase)\|y(?:of(?:month\|week\|year)\|name)?)\|e(?:(?:s_(?:de\|en)cryp\|faul)t\|grees\|code)\|count\|ump)\|l(?:o(?:ca(?:l(?:timestamp)?\|te)\|g(?:10\|2)?\|ad_file\|wer)\|ast(?:_(?:insert_id\|day))?\|e(?:(?:as\|f)t\|ngth)\|case\|trim\|pad\|n)\|u(?:n(?:compress(?:ed_length)?\|ix_timestamp\|hex)\|tc_(?:time(?:stamp)?\|date)\|p(?:datexml\|per)\|uid(?:_short)?\|case\|ser)\|r(?:a(?:wto(?:nhex(?:toraw)?\|hex)\|dians\|nd)\|e(?:p(?:lace\|eat)\|lease_lock\|verse)\|o(?:w_count\|und)\|ight\|trim\|pad)\|t(?:ime(?:_(?:format\|to_sec)\|stamp(?:diff\|add)?\|diff)?\|o_(?:(?:second\|day)s\|base64\|n?char)\|r(?:uncate\|im)\|an)\|m(?:a(?:ke(?:_set\|date)\|ster_pos_wait\|x)\|i(?:(?:crosecon)?d\|n(?:ute)?)\|o(?:nth(?:name)?\|d)\|d5)\|f(?:i(?:eld(?:_in_set)?\|nd_in_set)\|rom_(?:unixtime\|base64\|days)\|o(?:und_rows\|rmat)\|loor)\|p(?:o(?:w(?:er)?\|sition)\|eriod_(?:diff\|add)\|rocedure_analyse\|assword\|g_sleep\|i)\|a(?:s(?:cii(?:str)?\|in)\|es_(?:de\|en)crypt\|dd(?:dat\|tim)e\|(?:co\|b)s\|tan2?\|vg)\|b(?:i(?:t_(?:length\|count\|x?or\|and)\|n(?:_to_num)?)\|enchmark)\|e(?:x(?:tract(?:value)?\|p(?:ort_set)?)\|nc(?:rypt\|ode)\|lt)\|g(?:r(?:oup_conca\|eates)t\|et_(?:format\|lock))\|v(?:a(?:r(?:_(?:sam\|po)p\|iance)\|lues)\|ersion)\|o(?:(?:ld_passwo)?rd\|ct(?:et_length)?)\|we(?:ek(?:ofyear\|day)?\|ight_string)\|n(?:o(?:t_in\|w)\|ame_const\|ullif)\|h(?:ex(?:toraw)?\|our)\|qu(?:arter\|ote)\|year(?:week)?\|xmltype)\W*?\()" \ "id:942410, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942420 is not blocked (status code 200)

ModSecurity Rule ID	942420
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	@>´{$´*$
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: @>´{$´$=test; test=@>´{$´$; session-cookie=155dc1abc4c096f982b04b0abeb261f5d9f7965cf89565a4a98179a056f8a44573bd3b59cb6d85cc25878cd61fcb6bdc Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>][^~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>]*?){8})" \ "id:942420, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942430 is not blocked (status code 200)

ModSecurity Rule ID	942430
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	-‘!"´><(&~(+
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac0393ea5482b04b0abeb261f596ca0ad94904149e70ffe50f89c24fabc2e69e83c829435d9f04869031b59a3a Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx ((?:[~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>][^~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>]*?){12})" \ "id:942430, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942431 is not blocked (status code 200)

ModSecurity Rule ID	942431
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	=(^'\|!
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abe24bd04e82b04b0abeb261f51d0d15d9395052d30ac0bb4c1f1e7f3b9770b0f3052a89b12d9665eb89e89899 Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx ((?:[~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>][^~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>]*?){6})" \ "id:942431, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942432 is not blocked (status code 200)

ModSecurity Rule ID	942432
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	}`
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1ac1f367b2882b04b0abeb261f5b03e0575746acf3b95e68c4590511741da41ab75d9c164e4a28aa50b4478a1dd Connection: keep-alive
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx ((?:[~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>][^~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>]*?){2})" \ "id:942432, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942440 is not blocked (status code 200)

ModSecurity Rule ID	942440
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	--
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: --=test; _NAMES=--; test=--; session-cookie=155dc1ac08eb6c3f82b04b0abeb261f52b2e6baa072f8dd2f5aa90256df490529acc6adc1064383a844dc23b65f076c6 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (/\!?\|\/\|[';]--\|--[\s\r\n\v\f]\|(?:--[^-]?-)\|([^\-&])#.?[\s\r\n\v\f]\|;?\\x00)" \ "id:942440, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Comment Sequence Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942450 is not blocked (status code 200)

ModSecurity Rule ID	942450
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: 0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a=test; _NAMES=0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a; test=0x2e1437dd8b65f4d403f41820ba0xded933d4417aec5bc1b3c324a13f17b00x4059f19c26655caabafff6847ef0d0xc4fe94fee4a_0xc3bbce3b0xbde67adce57994b2edK0x2354b20971cd19a62d2d214de3f50x3c29ab63705510bf3P0xd4701ef77b0a09a; session-cookie=155dc1ac15cde34c82b04b0abeb261f5046fa18ec5c7deefd4d76c236124ca4afa3b883b51b783954ad0343a9494d7bb Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:\A\|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" \ "id:942450, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Hex Encoding Identified',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942460 is not blocked (status code 200)

ModSecurity Rule ID	942460
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	\-,}
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: session-cookie=155dc1abeeaff82d82b04b0abeb261f5685bf90cfa8cebff2b0cfdf78a539b5d65098fc2f7415ff8270aca8c07678c77 Connection: keep-alive
Rule content	SecRule ARGS "@rx \W{4}" \ "id:942460, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942470 is not blocked (status code 200)

ModSecurity Rule ID	942470
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	sp_help
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=sp_help; sp_help=test; test=sp_help; session-cookie=155dc1abf95bde1f82b04b0abeb261f5856d2e80ca4d8657ff09527ab36e62bbafba6d07d12889dc09d5d5ded0ffd668 Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:xp_(?:reg(?:re(?:movemultistring\|ad)\|delete(?:value\|key)\|enum(?:value\|key)s\|addmultistring\|write)\|(?:servicecontro\|cmdshel)l\|e(?:xecresultset\|numdsn)\|ntsec(?:_enumdomains)?\|terminate(?:_process)?\|availablemedia\|loginconfig\|filelist\|dirtree\|makecab)\|s(?:p_(?:(?:addextendedpro\|sqlexe)c\|p(?:assword\|repare)\|replwritetovarbin\|is_srvrolemember\|execute(?:sql)?\|makewebtask\|oacreate\|help)\|ql_(?:longvarchar\|variant))\|open(?:owa_util\|rowset\|query)\|(?:n?varcha\|tbcreato)r\|autonomous_transaction\|db(?:a_users\|ms_java)\|utl_(?:file\|http)))" \ "id:942470, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 942480 is not blocked (status code 200)

ModSecurity Rule ID	942480
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Generated pattern	'sa'
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: 'sa'=test; _NAMES='sa'; test='sa'; session-cookie=155dc1abfe1ab9ba82b04b0abeb261f5e0d3c3c48be2f281fc47fedd32965fdc87d0bb436da93efae607e7b9219ff34f Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length\|count)\b.{1,100}?\|.?\bdump\b.)\bfrom\|to(?:p\b.{1,100}?\bfrom\|_(?:numbe\|cha)r)\|(?:from\b.{1,100}?\bwher\|data_typ)e\|instr)\|ys_context)\|in(?:to\b\W?\b(?:dump\|out)file\|sert\b\W?\binto\|ner\b\W?\bjoin)\|u(?:nion\b.{1,100}?\bselect\|tl_inaddr)\|group\b.?\bby\b.{1,100}?\bhaving\|d(?:elete\b\W?\bfrom\|bms_\w+\.)\|load\b\W?\bdata\b.?\binfile)\b\|print\b\W?\@\@)\|(?:;\W?\b(?:shutdown\|drop)\|collation\W?\(a\|\@\@version)\b\|'(?:s(?:qloledb\|a)\|msdasql\|dbo)'))" \ "id:942480, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'SQL Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Pattern for rule 944100 is not blocked (status code 200)

ModSecurity Rule ID	944100
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern	java.lang.runtime
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: java.lang.runtime _NAMES: java.lang.runtime Cookie: _NAMES=java.lang.runtime; java.lang.runtime=test; test=java.lang.runtime; session-cookie=155dc1ac27eca65782b04b0abeb261f5ddde0636206fb16fc0798da1c6b69df5a29726a90d4d9a81296e515d378ead4a Connection: keep-alive
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx java\.lang\.(?:runtime\|processbuilder)" \ "id:944100, deny, nolog,\ phase:2,\ block,\ log,\ msg:'Remote Command Execution: Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ t:none,t:lowercase,\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Pattern for rule 944210 is not blocked (status code 200)

ModSecurity Rule ID	944210
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern	Cs7QAF
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: Cs7QAF _NAMES: Cs7QAF Cookie: Cs7QAF=test; _NAMES=Cs7QAF; test=Cs7QAF; session-cookie=155dc1ac36e7b6b682b04b0abeb261f5a4fd7199a78fb2f8b389d685cac2272d6a323d3f084ed4119ae65708bb9533c3 Connection: keep-alive
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx (?:rO0ABQ\|KztAAU\|Cs7QAF)" \ "id:944210, deny, nolog,\ phase:2,\ block,\ log,\ msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Pattern for rule 944240 is not blocked (status code 200)

ModSecurity Rule ID	944240
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern	filewriter
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: filewriter _NAMES: filewriter Cookie: _NAMES=filewriter; filewriter=test; test=filewriter; session-cookie=155dc1ac3ac87db082b04b0abeb261f5f127d1f7661d55097767639f587faaf5e0339ee273315117f9d8e56e04266382 Connection: keep-alive
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx (?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder)" \ "id:944240, deny, nolog,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Pattern for rule 944300 is not blocked (status code 200)

ModSecurity Rule ID	944300
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Generated pattern	BjbG9uZXRyYW5zZm9ybWVy
Request sent to WAF	GET /vulnbank/index.html HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Test: BjbG9uZXRyYW5zZm9ybWVy _NAMES: BjbG9uZXRyYW5zZm9ybWVy Cookie: BjbG9uZXRyYW5zZm9ybWVy=test; _NAMES=BjbG9uZXRyYW5zZm9ybWVy; test=BjbG9uZXRyYW5zZm9ybWVy; session-cookie=155dc1ac3ea189e882b04b0abeb261f5a7f5b2b10547d0e164ea37dd0dffa8ff86f4343289964426305473a4826b8116 Connection: keep-alive
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx (?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU)" \ "id:944300, deny, nolog,\ phase:2,\ block,\ t:none,\ log,\ msg:'Base64 encoded string matched suspicious keyword',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Pattern for rule 933161 is not blocked (status code 404)

ModSecurity Rule ID	933161
From file	../../owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Generated pattern	ord(Htlui#Z5@,A\)
Request sent to WAF	GET /ord%28Htlui%23Z5%40%2CA%5C%29?test=ord%28Htlui%23Z5%40%2CA%5C%29&_NAMES=ord%28Htlui%23Z5%40%2CA%5C%29 HTTP/1.1 Host: 127.0.0.1:4343 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Cookie: _NAMES=ord(Htlui#Z5@,A\); ord(Htlui#Z5@,A\)=test; test=ord(Htlui#Z5@,A\) Connection: keep-alive
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?\|finite)\|n(?:u(?:meric\|ll)\|an)\|(?:calla\|dou)ble\|s(?:calar\|tring)\|f(?:inite\|loat)\|re(?:source\|al)\|l(?:ink\|ong)\|a(?:rray)?\|object\|bool)\|set)\|n(?:(?:clud\|vok)e\|t(?:div\|val))\|(?:mplod\|dat)e\|conv)\|s(?:t(?:r(?:(?:le\|sp)n\|coll)\|at)\|(?:e(?:rializ\|ttyp)\|huffl)e\|i(?:milar_text\|zeof\|nh?)\|p(?:liti?\|rintf)\|(?:candi\|ubst)r\|y(?:mlink\|slog)\|o(?:undex\|rt)\|leep\|rand\|qrt)\|f(?:ile(?:(?:siz\|typ)e\|owner\|pro)\|l(?:o(?:atval\|ck\|or)\|ush)\|(?:rea\|mo)d\|t(?:ell\|ok)\|unction\|close\|gets\|stat\|eof)\|c(?:h(?:o(?:wn\|p)\|eckdate\|root\|dir\|mod)\|o(?:(?:(?:nsta\|u)n\|mpac)t\|sh?\|py)\|lose(?:dir\|log)\|(?:urren\|ryp)t\|eil)\|e(?:x(?:(?:trac\|i)t\|p(?:lode)?)\|a(?:ster_da(?:te\|ys)\|ch)\|r(?:ror_log\|egi?)\|mpty\|cho\|nd)\|l(?:o(?:g(?:1[0p])?\|caltime)\|i(?:nk(?:info)?\|st)\|(?:cfirs\|sta)t\|evenshtein\|trim)\|d(?:i(?:(?:skfreespac)?e\|r(?:name)?)\|e(?:fined?\|coct)\|(?:oubleva)?l\|ate)\|r(?:e(?:(?:quir\|cod\|nam)e\|adlin[ek]\|wind\|set)\|an(?:ge\|d)\|ound\|sort\|trim)\|m(?:b(?:split\|ereg)\|i(?:crotime\|n)\|a(?:i[ln]\|x)\|etaphone\|y?sql\|hash)\|u(?:n(?:(?:tain\|se)t\|iqid\|link)\|s(?:leep\|ort)\|cfirst\|mask)\|a(?:s(?:(?:se\|o)rt\|inh?)\|r(?:sort\|ray)\|tan[2h]?\|cosh?\|bs)\|t(?:e(?:xtdomain\|mpnam)\|a(?:int\|nh?)\|ouch\|ime\|rim)\|h(?:e(?:ader(?:s_(?:lis\|sen)t)?\|brev)\|ypot\|ash)\|p(?:a(?:thinfo\|ck)\|r(?:intf?\|ev)\|close\|o[sw]\|i)\|g(?:et(?:t(?:ext\|ype)\|date)\|mdate)\|o(?:penlog\|ctdec\|rd)\|b(?:asename\|indec)\|n(?:atsor\|ex)t\|k(?:sort\|ey)\|quotemeta\|wordwrap\|virtual\|join)(?:\s\|/\.\/\|//.\|#.)$.*$" \ "id:933161, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	910100
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content	SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ "id:910100, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Client IP is from a HIGH Risk Country Location.',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content	SecRule TX:httpbl_msg "@rx RBL lookup of .?.dnsbl.httpbl.org succeeded at TX:checkip. (.?): .*" \ "capture,\ t:none,\ setvar:'tx.httpbl_msg=%{tx.1}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content	SecRule TX:httpbl_msg "@rx Search Engine" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content	SecRule TX:httpbl_msg "@rx (?i)^.? spammer .?$" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content	SecRule TX:httpbl_msg "@rx (?i)^.? suspicious .?$" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Rule content	SecRule TX:httpbl_msg "@rx (?i)^.? harvester .?$" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'"

Rule was not formed correctly

ModSecurity Rule ID	920120
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule FILES_NAMES\|FILES "@rx (?<!&(?:[aAoOuUyY]uml)\|&(?:[aAeEiIoOuU]circ)\|&(?:[eEiIoOuUyY]acute)\|&(?:[aAeEiIoOuU]grave)\|&(?:[cC]cedil)\|&(?:[aAnNoO]tilde)\|&(?:amp)\|&(?:apos));\|['\"=]" \ "id:920120, deny, nolog,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Attempted multipart/form-data bypass',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ "t:none,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_BODY\|XML:/* "@rx \%((?!$\|\W)\|[0-9a-fA-F]{2}\|u[0-9a-fA-F]{4})" \ "chain"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ "chain"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ "chain"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule TX:0 "!@rx ^%{tx.allowed_request_content_type}$" \ "t:none,\ ctl:forceRequestBodyVariable=On,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \ "t:none,\ ctl:forceRequestBodyVariable=On,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE_CHARSET-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Range\|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s,?\s){63}" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ "chain"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Range\|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s,?\s){6}" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	920460
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_URI\|REQUEST_HEADERS\|ARGS\|ARGS_NAMES "@rx (?<!\Q\\\E)\Q\\\E[cdeghijklmpqwxyz123456789]" \ "id:920460, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ log,\ msg:'Abnormal character escapes in request',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/4',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/ABNORMAL-ESCAPE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Rule content	SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ "capture,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	942130
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Rule content	SecRule ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:([\s'\"`]?)([\d\w]++)([\s'\"`]?)(?:<(?:=(?:([\s'\"`]?)(?!\2)([\d\w]+)\|>([\s'\"`]?)(?:\2))\|>?([\s'\"`]?)(?!\2)([\d\w]+))\|(?:not\s+(?:regexp\|like)\|is\s+not\|>=?\|!=\|\^)([\s'\"`]?)(?!\2)([\d\w]+)\|(?:(?:sounds\s+)?like\|r(?:egexp\|like)\|=)([\s'\"`]*?)(?:\2)))" \ "id:942130, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:replaceComments,\ msg:'SQL Injection Attack: SQL Tautology Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Rule content	SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?\|cat(?:_ws)?\|nection_id)\|(?:mpres)?s\|ercibility\|(?:un)?t\|llation\|alesce)\|ur(?:rent_(?:time(?:stamp)?\|date\|user)\|(?:dat\|tim)e)\|h(?:ar(?:(?:acter)?_length\|set)?\|r)\|iel(?:ing)?\|ast\|r32)\|s(?:u(?:b(?:str(?:ing(?:_index)?)?\|(?:dat\|tim)e)\|m)\|t(?:d(?:dev_(?:sam\|po)p)?\|r(?:_to_date\|cmp))\|e(?:c(?:_to_time\|ond)\|ssion_user)\|ys(?:tem_user\|date)\|ha[12]?\|oundex\|chema\|ig?n\|leep\|pace\|qrt)\|i(?:s(?:_(?:ipv(?:4(?:_(?:compat\|mapped))?\|6)\|n(?:ot(?:_null)?\|ull)\|(?:free\|used)_lock)\|null)\|n(?:et(?:6_(?:aton\|ntoa)\|_(?:aton\|ntoa))\|s(?:ert\|tr)\|terval)?\|f(?:null)?)\|d(?:a(?:t(?:e(?:_(?:format\|add\|sub)\|diff)?\|abase)\|y(?:of(?:month\|week\|year)\|name)?)\|e(?:(?:s_(?:de\|en)cryp\|faul)t\|grees\|code)\|count\|ump)\|l(?:o(?:ca(?:l(?:timestamp)?\|te)\|g(?:10\|2)?\|ad_file\|wer)\|ast(?:_(?:inser_id\|day))?\|e(?:(?:as\|f)t\|ngth)\|case\|trim\|pad\|n)\|u(?:n(?:compress(?:ed_length)?\|ix_timestamp\|hex)\|tc_(?:time(?:stamp)?\|date)\|p(?:datexml\|per)\|uid(?:_short)?\|case\|ser)\|t(?:ime(?:_(?:format\|to_sec)\|stamp(?:diff\|add)?\|diff)?\|o(?:(?:second\|day)s\|_base64\|n?char)\|r(?:uncate\|im)\|an)\|m(?:a(?:ke(?:_set\|date)\|ster_pos_wait\|x)\|i(?:(?:crosecon)?d\|n(?:ute)?)\|o(?:nth(?:name)?\|d)\|d5)\|r(?:e(?:p(?:lace\|eat)\|lease_lock\|verse)\|a(?:wtohex\|dians\|nd)\|o(?:w_count\|und)\|ight\|trim\|pad)\|f(?:i(?:eld(?:_in_set)?\|nd_in_set)\|rom_(?:unixtime\|base64\|days)\|o(?:und_rows\|rmat)\|loor)\|p(?:o(?:w(?:er)?\|sition)\|eriod_(?:diff\|add)\|rocedure_analyse\|assword\|g_sleep\|i)\|a(?:s(?:cii(?:str)?\|in)\|es_(?:de\|en)crypt\|dd(?:dat\|tim)e\|(?:co\|b)s\|tan2?\|vg)\|b(?:i(?:t_(?:length\|count\|x?or\|and)\|n(?:_to_num)?)\|enchmark)\|e(?:x(?:tract(?:value)?\|p(?:ort_set)?)\|nc(?:rypt\|ode)\|lt)\|g(?:r(?:oup_conca\|eates)t\|et_(?:format\|lock))\|v(?:a(?:r(?:_(?:sam\|po)p\|iance)\|lues)\|ersion)\|o(?:(?:ld_passwo)?rd\|ct(?:et_length)?)\|we(?:ek(?:ofyear\|day)?\|ight_string)\|n(?:o(?:t_in\|w)\|ame_const\|ullif)\|h(?:ex(?:toraw)?\|our)\|qu(?:arter\|ote)\|year(?:week)?\|xmltype)\W*\(" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Rule content	SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht\|f)tps?://(.*?)\/" \ "capture,\ chain"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ "@rx (?:unmarshaller\|base64data\|java\.)" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule MATCHED_VARS "@rx (?:runtime\|processbuilder)" \ "t:none,t:lowercase,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	0
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule MATCHED_VARS "@rx (?:runtime\|processbuilder\|clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder)" \ "t:base64Decode,t:lowercase,\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	944250
Error	Failed to create valid payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx java\b.+(?:runtime\|processbuilder)" \ "id:944250, deny, nolog,\ phase:2,\ block,\ log,\ msg:'Remote Command Execution: Suspicious Java method detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ t:lowercase,\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	920340
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ "id:920340, deny, nolog,\ phase:2,\ pass,\ t:none,\ msg:'Request Containing Content, but Missing Content-Type header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ver:'OWASP_CRS/3.1.0',\ severity:'NOTICE',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	941250
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:<META[\s/+].?http-equiv[\s/+]=[\s/+][\"\'`]?(((c\|(&#x?0((67)\|(43)\|(99)\|(63));?)))\|((r\|(&#x?0((82)\|(52)\|(114)\|(72));?)))\|((s\|(&#x?0((83)\|(53)\|(115)\|(73));?)))))" \ "id:941250, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	920160
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ "id:920160, deny, nolog,\ phase:1,\ block,\ t:none,\ msg:'Content-Length HTTP header is not numeric.',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	941220
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(v\|(&#x?0((86)\|(56)\|(118)\|(76));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(b\|(&#x?0((66)\|(42)\|(98)\|(62));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(s\|(&#x?0((83)\|(53)\|(115)\|(73));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(c\|(&#x?0((67)\|(43)\|(99)\|(63));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(r\|(&#x?0((82)\|(52)\|(114)\|(72));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(i\|(&#x?0((73)\|(49)\|(105)\|(69));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(p\|(&#x?0((80)\|(50)\|(112)\|(70));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(t\|(&#x?0((84)\|(54)\|(116)\|(74));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(:\|(&((#x?0*((58)\|(3A));?)\|(colon;)))).)" \ "id:941220, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	941210
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:(j\|(&#x?0((74)\|(4A)\|(106)\|(6A));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(a\|(&#x?0((65)\|(41)\|(97)\|(61));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(v\|(&#x?0((86)\|(56)\|(118)\|(76));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(a\|(&#x?0((65)\|(41)\|(97)\|(61));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(s\|(&#x?0((83)\|(53)\|(115)\|(73));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(c\|(&#x?0((67)\|(43)\|(99)\|(63));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(r\|(&#x?0((82)\|(52)\|(114)\|(72));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(i\|(&#x?0((73)\|(49)\|(105)\|(69));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(p\|(&#x?0((80)\|(50)\|(112)\|(70));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(t\|(&#x?0((84)\|(54)\|(116)\|(74));?))([\t]\|(&((#x?0(9\|(13)\|(10)\|A\|D);?)\|(tab;)\|(newline;))))(:\|(&((#x?0*((58)\|(3A));?)\|(colon;)))).)" \ "id:941210, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	920330
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ "id:920330, deny, nolog,\ phase:2,\ pass,\ t:none,\ msg:'Empty User Agent Header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/EMPTY_HEADER_UA',\ ver:'OWASP_CRS/3.1.0',\ severity:'NOTICE',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	941160
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS:User-Agent\|REQUEST_HEADERS:Referer\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i)<[^\w<>](?:[^<>\"'\s]:)?[^\w<>](?:\W?s\W?c\W?r\W?i\W?p\W?t\|\W?f\W?o\W?r\W?m\|\W?s\W?t\W?y\W?l\W?e\|\W?s\W?v\W?g\|\W?m\W?a\W?r\W?q\W?u\W?e\W?e\|(?:\W?l\W?i\W?n\W?k\|\W?o\W?b\W?j\W?e\W?c\W?t\|\W?e\W?m\W?b\W?e\W?d\|\W?a\W?p\W?p\W?l\W?e\W?t\|\W?p\W?a\W?r\W?a\W?m\|\W?i?\W?f\W?r\W?a\W?m\W?e\|\W?b\W?a\W?s\W?e\|\W?b\W?o\W?d\W?y\|\W?m\W?e\W?t\W?a\|\W?i\W?m\W?a?\W?g\W?e?\|\W?v\W?i\W?d\W?e\W?o\|\W?a\W?u\W?d\W?i\W?o\|\W?b\W?i\W?n\W?d\W?i\W?n\W?g\W?s\|\W?s\W?e\W?t\|\W?a\W?n\W?i\W?m\W?a\W?t\W?e)[^>\w])\|(?:<\w[\s\S][\s\/]\|['\"](?:[\s\S][\s\/])?)(?:formaction\|style\|background\|src\|lowsrc\|ping\|on(?:d(?:e(?:vice(?:(?:orienta\|mo)tion\|proximity\|found\|light)\|livery(?:success\|error)\|activate)\|r(?:ag(?:e(?:n(?:ter\|d)\|xit)\|(?:gestur\|leav)e\|start\|drop\|over)?\|op)\|i(?:s(?:c(?:hargingtimechange\|onnect(?:ing\|ed))\|abled)\|aling)\|ata(?:setc(?:omplete\|hanged)\|(?:availabl\|chang)e\|error)\|urationchange\|ownloading\|blclick)\|Moz(?:M(?:agnifyGesture(?:Update\|Start)?\|ouse(?:PixelScroll\|Hittest))\|S(?:wipeGesture(?:Update\|Start\|End)?\|crolledAreaChanged)\|(?:(?:Press)?TapGestur\|BeforeResiz)e\|EdgeUI(?:C(?:omplet\|ancel)\|Start)ed\|RotateGesture(?:Update\|Start)?\|A(?:udioAvailable\|fterPaint))\|c(?:o(?:m(?:p(?:osition(?:update\|start\|end)\|lete)\|mand(?:update)?)\|n(?:t(?:rolselect\|extmenu)\|nect(?:ing\|ed))\|py)\|a(?:(?:llschang\|ch)ed\|nplay(?:through)?\|rdstatechange)\|h(?:(?:arging(?:time)?ch)?ange\|ecking)\|(?:fstate\|ell)change\|u(?:echange\|t)\|l(?:ick\|ose))\|m(?:o(?:z(?:pointerlock(?:change\|error)\|(?:orientation\|time)change\|fullscreen(?:change\|error)\|network(?:down\|up)load)\|use(?:(?:lea\|mo)ve\|o(?:ver\|ut)\|enter\|wheel\|down\|up)\|ve(?:start\|end)?)\|essage\|ark)\|s(?:t(?:a(?:t(?:uschanged\|echange)\|lled\|rt)\|k(?:sessione\|comma)nd\|op)\|e(?:ek(?:complete\|ing\|ed)\|(?:lec(?:tstar)?)?t\|n(?:ding\|t))\|u(?:ccess\|spend\|bmit)\|peech(?:start\|end)\|ound(?:start\|end)\|croll\|how)\|b(?:e(?:for(?:e(?:(?:scriptexecu\|activa)te\|u(?:nload\|pdate)\|p(?:aste\|rint)\|c(?:opy\|ut)\|editfocus)\|deactivate)\|gin(?:Event)?)\|oun(?:dary\|ce)\|l(?:ocked\|ur)\|roadcast\|usy)\|a(?:n(?:imation(?:iteration\|start\|end)\|tennastatechange)\|fter(?:(?:scriptexecu\|upda)te\|print)\|udio(?:process\|start\|end)\|d(?:apteradded\|dtrack)\|ctivate\|lerting\|bort)\|DOM(?:Node(?:Inserted(?:IntoDocument)?\|Removed(?:FromDocument)?)\|(?:CharacterData\|Subtree)Modified\|A(?:ttrModified\|ctivate)\|Focus(?:Out\|In)\|MouseScroll)\|r(?:e(?:s(?:u(?:m(?:ing\|e)\|lt)\|ize\|et)\|adystatechange\|pea(?:tEven)?t\|movetrack\|trieving\|ceived)\|ow(?:s(?:inserted\|delete)\|e(?:nter\|xit))\|atechange)\|p(?:op(?:up(?:hid(?:den\|ing)\|show(?:ing\|n))\|state)\|a(?:ge(?:hide\|show)\|(?:st\|us)e\|int)\|ro(?:pertychange\|gress)\|lay(?:ing)?)\|t(?:ouch(?:(?:lea\|mo)ve\|en(?:ter\|d)\|cancel\|start)\|ime(?:update\|out)\|ransitionend\|ext)\|u(?:s(?:erproximity\|sdreceived)\|p(?:gradeneeded\|dateready)\|n(?:derflow\|load))\|f(?:o(?:rm(?:change\|input)\|cus(?:out\|in)?)\|i(?:lterchange\|nish)\|ailed)\|l(?:o(?:ad(?:e(?:d(?:meta)?data\|nd)\|start)?\|secapture)\|evelchange\|y)\|g(?:amepad(?:(?:dis)?connected\|button(?:down\|up)\|axismove)\|et)\|e(?:n(?:d(?:Event\|ed)?\|abled\|ter)\|rror(?:update)?\|mptied\|xit)\|i(?:cc(?:cardlockerror\|infochange)\|n(?:coming\|valid\|put))\|o(?:(?:(?:ff\|n)lin\|bsolet)e\|verflow(?:changed)?\|pen)\|SVG(?:(?:Unl\|L)oad\|Resize\|Scroll\|Abort\|Error\|Zoom)\|h(?:e(?:adphoneschange\|l[dp])\|ashchange\|olding)\|v(?:o(?:lum\|ic)e\|ersion)change\|w(?:a(?:it\|rn)ing\|heel)\|key(?:press\|down\|up)\|(?:AppComman\|Loa)d\|no(?:update\|match)\|Request\|zoom))[\s\x08]?=" \ "id:941160, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'NoScript XSS InjectionChecker: HTML Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	920310
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Accept "@rx ^$" \ "id:920310, deny, nolog,\ phase:2,\ pass,\ t:none,\ msg:'Request Has an Empty Accept Header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\ ver:'OWASP_CRS/3.1.0',\ severity:'NOTICE',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	942421
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>][^~!@#\$%\^&\\-\+=\{\}\[\]\\|:;\"'´’‘`<>]*?){3})" \ "id:942421, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	943110
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Rule content	SecRule ARGS_NAMES "@rx ^(?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession)$" \ "id:943110, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-fixation',\ tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	941330
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:[\"\'][ ](([^a-z0-9~_:\' ])\|(in)).?(((l\|(\\\\u006C))(o\|(\\\\u006F))(c\|(\\\\u0063))(a\|(\\\\u0061))(t\|(\\\\u0074))(i\|(\\\\u0069))(o\|(\\\\u006F))(n\|(\\\\u006E)))\|((n\|(\\\\u006E))(a\|(\\\\u0061))(m\|(\\\\u006D))(e\|(\\\\u0065)))\|((o\|(\\\\u006F))(n\|(\\\\u006E))(e\|(\\\\u0065))(r\|(\\\\u0072))(r\|(\\\\u0072))(o\|(\\\\u006F))(r\|(\\\\u0072)))\|((v\|(\\\\u0076))(a\|(\\\\u0061))(l\|(\\\\u006C))(u\|(\\\\u0075))(e\|(\\\\u0065))(O\|(\\\\u004F))(f\|(\\\\u0066)))).*?=)" \ "id:941330, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A2',\ tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	941350
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Rule content	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?:\+ADw\-\|\+AD4\-).(?:\+ADw\-\|\+AD4\-\|>)\|(?:\+ADw\-\|\+AD4\-\|<).(?:\+ADw\-\|\+AD4\-)" \ "id:941350, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'UTF-7 Encoding IE XSS - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-internet-explorer',\ tag:'attack-xss',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	920311
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Accept "@rx ^$" \ "id:920311, deny, nolog,\ phase:2,\ pass,\ t:none,\ msg:'Request Has an Empty Accept Header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\ ver:'OWASP_CRS/3.1.0',\ severity:'NOTICE',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	943120
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Rule content	SecRule ARGS_NAMES "@rx ^(?:jsessionid\|aspsessionid\|asp.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession)$" \ "id:943120, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-fixation',\ tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	944110
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx (?:runtime\|processbuilder)" \ "id:944110, deny, nolog,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	944120
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx (?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder)" \ "id:944120, deny, nolog,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	944200
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx \xac\xed\x00\x05" \ "id:944200, deny, nolog,\ phase:2,\ block,\ log,\ msg:'Magic bytes Detected, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	944220
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Rule content	SecRule ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_BODY\|REQUEST_HEADERS\|XML:/\|XML://@ \ "@rx [a-zA-Z0-9\-_]{45}(?:[a-zA-Z0-9\-_]{3})*(?:[a-zA-Z0-9\-_]{1}==\|[a-zA-Z0-9\-_]{2}=)?" \ "id:944220, deny, nolog,\ phase:2,\ block,\ log,\ msg:'Probable vulnerable java class in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920170
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_METHOD "@rx ^(?:GET\|HEAD)$" \ "id:920170, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'GET or HEAD Request with Body Content.',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920180
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_METHOD "@rx ^POST$" \ "id:920180, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'POST without Content-Length or Transfer-Encoding headers.',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920171
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_METHOD "@rx ^(?:GET\|HEAD)$" \ "id:920171, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'GET or HEAD Request with Transfer-Encoding.',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920480
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Type "@rx charset\s=\s([^;\s]+)" \ "id:920480, deny, nolog,\ phase:1,\ block,\ t:none,t:lowercase,\ msg:'Request content type charset is not allowed by policy',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE_CHARSET',\ tag:'WASCTC/WASC-20',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/EE2',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ capture,\ chain"

Rule was not formed correctly

ModSecurity Rule ID	931130
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Rule content	SecRule ARGS "@rx ^(?i:file\|ftps?\|https?)://(.*)$" \ "id:931130, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS/WEB_ATTACK/RFI',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{matched_var_name}=%{tx.1}',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920240
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded\|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \ "id:920240, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'URL Encoding Abuse Attack Attempt',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920470
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary\|charset)\s?=\s?['\"\w\d_\-]+)?$" \ "id:920470, deny, nolog,\ phase:1,\ block,\ t:none,t:lowercase,\ msg:'Illegal Content-Type header',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE',\ tag:'WASCTC/WASC-20',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/EE2',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	920420
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ "id:920420, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Request content type is not allowed by policy',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED',\ tag:'WASCTC/WASC-20',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/EE2',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ capture,\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920440
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_BASENAME "@rx \.(.*)$" \ "id:920440, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'URL file extension is restricted by policy',\ logdata:'%{TX.0}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',\ tag:'WASCTC/WASC-15',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.extension=.%{tx.1}/',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920450
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ "id:920450, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ logdata:' Restricted header detected: %{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',\ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/12.1',\ tag:'WASCTC/WASC-15',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920220
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_URI "@rx \%(?:(?!$\|\W)\|[0-9a-fA-F]{2}\|u[0-9a-fA-F]{4})" \ "id:920220, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'URL Encoding Abuse Attack Attempt',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	920200
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Range\|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s,?\s){6}" \ "id:920200, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Range: Too many fields (6 or more)',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	921170
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Rule content	SecRule ARGS_NAMES "@rx ." \ "id:921170, deny,\ phase:2,\ pass,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ ver:'OWASP_CRS/3.1.0',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

Rule was not formed correctly

ModSecurity Rule ID	921150
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Rule content	SecRule ARGS_NAMES "@rx [\n\r]" \ "id:921150, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	920100
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?\|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?\|options \)\s+[\w\./]+\|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" \ "id:920100, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Invalid HTTP Request Line',\ logdata:'%{request_line}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	920121
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule FILES_NAMES\|FILES "@rx ['\";=]" \ "id:920121, deny, nolog,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Attempted multipart/form-data bypass',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	920190
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Range\|REQUEST_HEADERS:Request-Range "@rx (\d+)\-(\d+)\," \ "id:920190, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Range: Invalid Last Byte Value.',\ logdata:'%{matched_var}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ chain"

Rule was not formed correctly

ModSecurity Rule ID	932190
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Rule content	SecRule ARGS\|XML:/* "@rx (?:/\|\\\\)(?:[\?\]+[a-z/\\\\]+\|[a-z/\\\\]+[\?\]+)" \ "id:932190, deny, nolog,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ msg:'Remote Command Execution: Wildcard bypass technique attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ tag:'WASCTC/WASC-31',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'"

Rule was not formed correctly

ModSecurity Rule ID	920290
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Host "@rx ^$" \ "id:920290, deny, nolog,\ phase:2,\ pass,\ t:none,\ msg:'Empty Host Header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',\ ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}'"

Rule was not formed correctly

ModSecurity Rule ID	920341
Error	ModSecurity didn't blocked generated payload
From file	../../owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule content	SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ "id:920341, deny, nolog,\ phase:2,\ block,\ t:none,\ msg:'Request Containing Content Requires Content-Type header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain"