Your IP : 216.73.216.95
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:921011,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a comma character in either the Content-Length or Transfer-Encoding
# request headers. This character would indicate that there were more than one request header
# with this same name. In these instances, Apache treats the data in a similar manner as
# multiple cookie values.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
# http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
#
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," \
"msg:'HTTP Request Smuggling Attack.',\
phase:request,\
id:921100,\
rev:'2',\
ver:'OWASP_CRS/2.2.7',\
maturity:'9',\
accuracy:'9',\
severity:'CRITICAL',\
t:none,\
capture,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\
tag:'WASCTC/WASC-26',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name.
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
# tests carried out on the primary request.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
#
SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
"msg:'HTTP Request Smuggling Attack',\
phase:request,\
id:921110,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'5',\
accuracy:'5',\
severity:'CRITICAL',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}"
#
# -=[ HTTP Response Splitting ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \
"msg:'HTTP Response Splitting Attack',\
phase:request,\
id:921120,\
rev:'2',\
ver:'OWASP_CRS/2.2.7',\
maturity:'9',\
accuracy:'9',\
severity:'CRITICAL',\
t:none,t:urlDecodeUni,t:lowercase,\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"msg:'HTTP Response Splitting Attack',\
phase:request,\
id:921130,\
rev:'2',\
ver:'OWASP_CRS/2.2.7',\
maturity:'9',\
accuracy:'9',\
severity:'CRITICAL',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
#
# -=[ HTTP Header Injection ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
# on their own or in combination with header field names.
# These characters may cause problems if the data is returned in a respones header
# and interpreted by the client.
# The rules are similar to rules defending against the HTTP Request Splitting and
# Request Smuggling rules.
#
# [ References ]
# https://en.wikipedia.org/wiki/HTTP_header_injection
#
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "(\n|\r)" \
"msg:'HTTP Header Injection Attack via headers',\
phase:request,\
id:921140,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'5',\
accuracy:'5',\
severity:'CRITICAL',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
t:none,t:htmlEntityDecode,t:lowercase,\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"
# Detect newlines in argument names.
# Checking for GET arguments has been moved to paranoia level 2 (921151)
# in order to mitigate possible false positives.
#
SecRule ARGS_NAMES "(\n|\r)" \
"msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
phase:request,\
id:921150,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'5',\
accuracy:'5',\
severity:'CRITICAL',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
"msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
phase:request,\
id:921160,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'5',\
accuracy:'5',\
severity:'CRITICAL',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:921013,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:921014,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#
# Detect newlines in GET argument values.
# These may point to a HTTP header injection attack, but can also sometimes
# occur in benign query parameters.
#
# See also: rule 921140, 921150
#
SecRule ARGS_GET "(\n|\r)" \
"msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
phase:request,\
id:921151,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'5',\
accuracy:'5',\
severity:'CRITICAL',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
ctl:auditLogParts=+E,\
block,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:921015,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:921016,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#
#
# -=[ HTTP Parameter Polution ]=-
#
# [ Rule Logic ]
# These rules look for multiple parameters with the same name.
# 921170 counts the occurrences of the individual parameters.
# 921180 checks if any counter is > 1.
#
# One HPP attack vector is to try evade signature filters by distributing the
# attack payload across multiple parameters with the same name.
# This works as many security devices only apply signatures to individual
# parameter payloads, however the back-end web application may (in the case
# of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# [ References ]
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
# https://capec.mitre.org/data/definitions/460.html
#
SecRule ARGS_NAMES "." \
"phase:request,\
id:921170,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
pass,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'CAPEC-460',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
"msg:'HTTP Parameter Pollution (%{TX.1})',\
chain,\
phase:request,\
id:921180,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'7',\
accuracy:'8',\
severity:'CRITICAL',\
pass,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'CAPEC-460',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)" \
"capture,\
setvar:tx.msg=%{rule.msg},\
setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:921017,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:921018,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"